How to protect your cloud storage files with EncFS

Douglas Crawford

Douglas Crawford

October 15, 2014

Cloud storage services are a very handy way to backup and share your data, but as the recent iCloud celebrity leaks (aka ‘The Fappening’) quite spectacularly demonstrated, although most services do encrypt you data, such services are always vulnerable to hackers.

In addition to this, most services encrypt your data for you, which means they hold the encryption keys, and can therefore decrypt the data (for example if required to do so by law enforcement or national security organizations).

‘Secure’ privacy orientated cloud services exist which offer end-to-end encryption, but as our recent roundup of them showed, most are not open source (so we just have to trust them not to send a copy of the keys anywhere they like), and anyway make (admittedly small) security concessions in exchange for convenience (an exception to both of these points is Cyphertite, which is open source and/but a backup-only service).

With the possible exception of Cyphertite, then, the only way to be sure that files saved to cloud storage are fully secure is to encrypt them yourself using open source software , so that you are guaranteed to be the only person holding the private encryption keys. Over the last few years the go-to software for this was TrueCrypt, but as confidence in this is now completely screwed, an alternative is needed.

In our recent look at Best open source alternatives to TrueCrypt we noted that AES Crypt was an easy way to encrypt individual files, which can then be uploaded to a cloud service. However, for batch and dynamic encryption of all files stored in a cloud service folder, nothing beats the ease and elegance of EncFS.


Platforms: Linux, Windows (using encfs4win), Android (using Cryptonite app). With a bit of effort it is possible to get EncFS to run in OSX .
Encryption: whatever libraries are available, usually Blowfish and AES. ‘Paranoid mode’ uses AES_256, ‘filename block encoding with IV chaining per file, external IV chaining, MAC block headers’
Pros: Easy to use, great for secure cloud storage, files encrypted individually
Cons: Filenames and file type are encrypted, but some metadata is not (date modified and file size). This is a consequence of the way EncFS encrypts files individually, so is not con per se (rather it is a feature), but users should be aware of the issue.

EncFS creates an encrypted volume, which is typically stored in a cloud storage folder (e.g. Dropbox) for easy cloud synching. This folder can be mounted locally as virtual drive, from where files can be accessed unencrypted, just as if they were files in a regular folder. When files are added to or changed in the virtual drive, they are encrypted and added to/changed in the encrypted folder.

An advantage when using EncFS to encrypt files kept in cloud storage is that (unlike TrueCrypt) each file in a volume is encrypted and stored individually, so a change to one file does not mean re-uploading an entire encrypted container.

So let’s have a look at EncFS in action…

EncFS how-to (using Windows 8.1 with Dropbox)

1. Download and unzip encfs4win. This does not require installation, but to run it you must also download and install the Dokan library – version 0.6 only (dokan-0.6.0).

2. Run encfsw.exe from the unzipped encfs4win folder, and a key icon will appear in your notification bar (if you can’t see it, click the little triangle to see all the notification bar icons). Click on the icon and select Open/Create.

encf4win 13. Create a new folder in your Dropbox folder. When this folder is mounted by EncFS, any files added to or modified in the mounted drive folder will be encrypted (or re-encrypted) and stored here. They can only be accessed unencrypted by mounting this folder in EncFS (which requires a password).

encfs4win 24. To access encrypted files in the folder you just set up, it must be mounted as a drive using EncFS. Choose a dive letter (one not otherwise in use), and a password for it (it is a good idea to use a program such as KeePass to generate a strong password).

encfs4win 3Paranoia mode is slower but more secure (AES 256)

5. Mount the encrypted folder as a drive by clicking on the EncFS icon and selecting ‘Mount , or navigate to it using the Open/Create dialog.

encfs4win 4Any EncFS encrypted folder can be mounted in this way if you have the password.

6. Enter your password.

encfs4win 57. The encrypted folder is mounted as a virtual drive (DOKAN ), where files can be accessed unencrypted, added, and modified, just like those in a regular folder. Changes made in this folder are reflected (encrypted) in the encrypted folder (which in our example is located in our Dropbox folder).

encfs4win 6The DOKAN virtual drive can be used as a regular Windows folder (you may also see encrypted versions of the files)

encfs4win 7All files stored/modified in the DOKAN virtual drive folder are encrypted and stored/modified in the EncFS folder

encfs4win 8Because we located the EncFS folder in our Dropbox folder, the encrypted files are uploaded to Dropbox

Here are some of things to remember:

  • For maximum security unmount the EncFS drive when not in use (EncFS key icon -> Unmount
  • To access files stored in an encrypted cloud folder from another computer you must download the folder to a local drive, then mount it using EncFS as described in Step 5.
  • Encrypted files are also stored locally, so EncFS can also be used for secure local storage

EncFS provides seamless on-the-fly cloud and local file encryption, while allowing you to work on files locally in a transparent manner.

Note that Linux users can find a great guide to using EncFS here, and look out for our upcoming look at Cryptonite, which brings EncFS to Android devices.

Exclusive Offer
Get NordVPN for only
Get NordVPN for only