Friday, February 21, 2014

Secure cloud data storage with Dropbox and Encfs

Update 23/09/2020: Enfs is outdated and Dropbox has dropped support for anything but Ext4 on Linux. I've developed a much better solution now. Check out Datalisk. It's a very rebust file sync tool with state of the art end-to-end encryption and multi-platform support.

I have long been searching for a good solution for keeping my personal data safe. Safe as in safe from data loss and save from having another party reading it. Now I believe I've found an excellent solution using Dropbox and Encfs (on Linux).

My requirements are:

  • all my personal data should reside encrypted on my hard-drive (so I'm independent of some remote service)
  • the data should be continously synced to a remote location (as a backup)
  • using that remote storage I want to keep my data in sync on two or three computers
  • my data should only be given to a remote service in an encrypted form

Requirements 2 and 3 are calling for Dropbox (or similar solutions). The problem is how to store it safeley there. Dropbox is always able to read the data they have stored for you.

An ellegant solution is using EncFS on your computer.

It transparently encrypts files, using an arbitrary directory as storage for the encrypted files. Two directories are involved in mounting an EncFS filesystem: the source directory, and the mountpoint. Each file in the mountpoint has a specific file in the source directory that corresponds to it. The file in the mountpoint provides the unencrypted view of the one in the source directory. Filenames are encrypted in the source directory.

Since every local file has an encrypted counterpart it can be easily synced with Dropbox. For my personal data the EncFS source directory is /data/markus-data-encfs On log-in it is automatically mounted to /home/markus/data

My log-in password also serves as the encryption key for EncFS. Just install the pam_mount library and add this line to /etc/security/pam_mount.conf.xml:

<volume user="markus" fstype="fuse" path="encfs#/data/markus-data-encfs" mountpoint="/home/markus/data" options="nonempty" />

Make sure that is included in /etc/pam.d/common-session and common-auth.

Finally, I only need to set-up a symbolic link from my Dropbox to /data/markus-data-encfs to have all my private data synced via Dropbox. All completely secure.