EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.
As with most encrypted filesystems, Encfs is meant to provide security against off-line attacks; ie your notebook or backups fall into the wrong hands, etc. The way Encfs works is different from the “loopback” encrypted filesystem support built into the Linux kernel because it works on files at a time, not an entire block device. This is a big advantage in some ways, but does not come without a cost.
See also the extended introduction page if you are new to EncFS.
If you need help, please use the encfs-users mailing list.
Warning: OpenSSL versioning is messy. Lots of changes occur even in minor letter updates (eg 0.9.8c -> 0.9.8d).
EncFS prompts the user for information, primarily when creating a new filesystem. EncFS prompts have been translated into many languages by volunteers. If your native language is not already supported, or only partially translated, please consider adding more translations online using the Rosetta interface.
Since the loss of Freshmeat, there is no longer an announcement site. A low volume mailing list may be created for this purpose.
See also the encfs man page (installed with encfs), or here
Note: Downloads are signed with my PGP key (2EAF4D80). RPM files have an embedded signature, and tar files have a detached signature (.asc). If you have a PGP key and have verified other’s keys, you can check for a chain of trust at PGP Pathfinder.
In addition to the releases below, the latest code is also from GitHub.
- add new IV initialization mode to foil watermark attack - see this 2010-08 analysis. The old IV setup is kept for backwards compatibility.
- enables per-block random bytes feature to be used independently of per-block MAC. Per-block random bytes (or MAC) is a workaround for issue #3 in the 2010-08 report above.
- 1.7.1 is the same as 1.7.0, but fixed missing header file in previous tarball.
- 1.7.2 fixes issues with passing certain mount options introduced in 1.7.0.
- 1.7.3 fixes bug with --reverse option setting which causes files to be stored incorrectly.
- 1.7.4 fixes chmod issue introduced in 1.7.3, affecting chmod usage in --public option.
- allow symlink times to be modified.
- try to maintain modtime during rename. Patch by p.kosseff.
- fix compiler errors from gcc 4.x.
- many build improvements for Mac OSX.
- add commands to help script filesystem creation.
- add multi-argument support to encfsctl encode/decode commands. Patch by Nikratio.
- support for boost > 1.41 (tested with boost 1.42 & boost 1.43).
Features / improvements:
- support GCC 4.3 compiler (issue 1)
- add new key derivation using OpenSSL's PBKDF2 with variable iteration count and 160 bit salt. Note that existing filesystems created by version 1.4.2 (using the XML config format) will be converted to use PBKDF2 automatically if the password is changed via encfsctl. The iteration count will be chosen to take approximatly 1/2 a second to compute in standard mode, or 3 seconds in paranoia mode.
Features / improvements:
- add option to pass-through file 'holes'. Only available in expert mode. (launchpad 202200)
- config file format changed to XML via boost serialization (config file is now .encfs6.xml)
- remove ulockmgr support, caused numerous locking issues. (launchpad 184966, 200685)
- fix symlink handling in encfsctl export (launchpad 201974)
- fix stdinpass option parsing, reported by Scott Hendrickson
- fix path suffix in encfsctl
- fix recursive directory rename bug introduced in 1.4.0 (launchpad bug 183358)
Features / improvements:
- add new options from 1.4.0 to man page
- return unencrypted link size on fstat of a symbolic link, otherwise git fails when working with symbolic links. Reported by Daniel Clemente
- chop off trailing newline from passwords passed via --stdinpass option (Launchpad bug 182214), patch by mpb.
- add on-demand mount option. Combined with external password prompting & idle timeout, this allows user to be prompted for a password when filesystem is accessed.
- reverse-encryption support by Keary Griffin, which produces an encrypted filesystem on-demand - useful in combination with rsync for creating a remote encrypted backup.
- run external password program via shell to allow passing arguments, patch by Liraz
- pass through -o options to FUSE, for mounting through fstab (Launchpad bug 108649)
- add -h option to encfssh, patch by Ryan Smith-Roberts
- fix failure to undo a failed directory rename (Launchpad bug 160214)
- don't close stderr when running in foreground
- Update to libfuse 2.6 API, adding lock support through ulockmgr.
- Replaced internal reference counting implementation with Boost C++ Library eliminating some complex (and potentially buggy) locking code.
- Encfs-users mailing list archives
- Bug Tracker for EncFS
- EncFS translation site hosted by Rosetta project
- Building on Mac OS X
- FreeBSD port - FreeBSD build of Encfs
- Debian package - Maintained by Eduard Bloch
- Cryptkeeper - tray applet for managing Encfs folders
- K-EncFS - KDE Application for Encfs
- PAM integration for EncFS - contributed by Anders Aagaard
- Linux Dev Center: April 2005