Cfcryptfs is an extensible encrypted filesystem implemented on FUSE (Filesystem in User Space) for linux, inspired by some excellent ideas from gocryptfs, encfs and securefs
As the value of data becomes more and more important, security of data is getting more and more attention. We want our critical private data to be safe and confidential, which means people without authorization should have no chance to access or tamper your data.
Further more, many people and companies choose to store their files and data on Internet storage services nowadays, such as Google Drive, AWS S3, Alibaba OSS and Alibaba NAS. Despite the greate convenience these Internet storage services bring to us, they also dramatically increase the risks like leak of confidential data, malicious tampering of data.
Using cfcryptfs can avoid these risks by encrypting your files and data in a total secure way before uploading them to those internet storage services. Also, the process of encryption and decryption is transparent to users and programs, which makes integration very simple.
Cfcryptfs now supports Linux and Mac OS X.
On Mac OS X, you have to install osxfuse. You can download dmg file for osxfuse, or install via Homebrew:
$ brew cask install osxfuse
You can directly download pre-built binary from Releases
You can also install cfcryptfs from source code. You have to install go tools first, see here
After that, execute commands below:
$ go get -u github.com/declan94/cfcryptfs
$ sudo cp `go env GOPATH`/bin/cfcryptfs /usr/local/bin
$ mkdir CIPHERDIR
$ cfcryptfs -init CIPHERDIR
You will have to choose the encryption method, block size and whether to encryption file path. After that, you need to enter a password, it's very important to remember your password.
$ mkdir PLAINDIR
$ cfcryptfs CIPHERDIR PLAINDIR
You will be asked to enter the password.
Now you can work in the PLAINDIR as usual, while your files will be encrypted and stored in CIPHERDIR automatically.
After unmount the filesystem by sudo umount PLAINDIR
, you can see PLAINDIR is actually still an empty directory.
You can sync your CIPHER dir with any Network Access Storage without worrying leak of your confidential data, and mount to anywhere with cfcryptfs when you want to use or modify your files.
Support multiple core encryption methods(DES/AES128/AES192/AES256). You can also create your own encryption methods by implementing corecrypter.CoreCrypter
interface. The 'example' subfolder gives some simple examples.
In some cases with extremely high security level, you may consider extend cfcryptfs using core encryption provided by some hardware devices.
Besides encryption methods, You can also choose different encryption block size, whether encrypt filepath, etc. This is important because different application and work environment often have different demands for the filesystem.
- Random IV for files and blocks provides random encryption pattern.
- HMAC signature for file header provides resistence to file mode tamper.
- HMAC signature with file IV and block id included in the key provides resistance to content tamper and block copying tamper.
- Generated IV from fullpath for filepath encryption provides resistance to file moving tamper. (in encrypted filepath mode)
- Provides two types of encryption key protection: 1) Using password to encrypt the key. 2) Using Shamir's Secret Sharing scheme to split key into multiple keyfiles.