-
Notifications
You must be signed in to change notification settings - Fork 376
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
✨ New tutorial - "Encrypting your files in the cloud using securefs" (#…
…1014) * Add tutorial * Spelling and formatting updates --------- Co-authored-by: svenja.michal <[email protected]>
- Loading branch information
1 parent
1812e5a
commit 632d21c
Showing
1 changed file
with
278 additions
and
0 deletions.
There are no files selected for viewing
278 changes: 278 additions & 0 deletions
278
tutorials/encrypting-your-files-in-the-cloud-using-securefs/01.en.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,278 @@ | ||
| --- | ||
| SPDX-License-Identifier: MIT | ||
| path: "/tutorials/encrypting-your-files-in-the-cloud-using-securefs" | ||
| slug: "encrypting-your-files-in-the-cloud-using-securefs" | ||
| date: "2024-12-13" | ||
| title: "Encrypting your files in the cloud using securefs" | ||
| short_description: "In this tutorial you will read how to use securefs to encrypt your files in a cloud storage and use it as a remote backup." | ||
| tags: ["FUSE", "EncFS", "backup"] | ||
| author: "wpdevelopment11" | ||
| author_link: "https://github.com/wpdevelopment11" | ||
| author_img: "https://avatars3.githubusercontent.com/u/85058595" | ||
| author_description: "" | ||
| language: "en" | ||
| available_languages: ["en"] | ||
| header_img: "header-2" | ||
| cta: "cloud" | ||
| --- | ||
|
|
||
| ## Introduction | ||
|
|
||
| If you want to upload your files into cloud storage it's probably a good idea to encrypt your files before you upload them. When you encrypt your files locally you don't need to trust a third-party provider to keep your files safe. Besides the popular cloud storage providers, you can encrypt and upload your files to your own cloud server (probably using rsync, for efficiency) and use it as a remote backup. | ||
|
|
||
| [Securefs](https://github.com/netheril96/securefs) is a FUSE (Filesystem in Userspace). You can mount this filesystem into a directory, like with other filesystems. This directory appears as a regular directory, where you can put and edit your files. But it doesn't really exist on disk, it's virtual. When you write (read) files in that directory they will be automatically encrypted (decrypted). You don't sync this directory with your cloud storage, it's only for you to work with your files. The underlying encrypted filesystem should be synced instead. | ||
|
|
||
| There are other programs that are based on the same concept, but have a different implementation. Notable examples are [gocryptfs](https://github.com/rfjakob/gocryptfs) and [CryFS](https://github.com/cryfs/cryfs). A comparison is available [here](https://nuetzlich.net/gocryptfs/comparison/). | ||
|
|
||
| Gocryptfs doesn't support Windows, but a [third-party implementation is available](https://github.com/bailey27/cppcryptfs). CryFS doesn't provide binaries for Linux. You need to install it using your package manager, which means you can get an outdated version. In summary, only securefs supports Windows and Linux and provides binaries for _both_ of them. | ||
|
|
||
| There is a feature called _reverse mode_ which allows you to create an encrypted view of your unencrypted directory without storing an encrypted copy on disk. This is useful, for example, if you want to store your files locally unencrypted, but want to encrypt them before syncing to the remote destination. This feature is only supported by gocryptfs. | ||
|
|
||
| **Prerequisites** | ||
|
|
||
| * A user with sudo privileges. | ||
| * AMD64 architecture, the binary for Arm64 is not available. | ||
| * A directory that is synced to your cloud storage | ||
|
|
||
| **Example terminology** | ||
|
|
||
| * Synced directory: `~/Cloud` | ||
|
|
||
| Usually when you're using a cloud storage provider you have a special folder which is automatically synced to the cloud and vice versa. Replace the example directory name with your own. | ||
|
|
||
| ## Step 1 - Installing and using securefs on Linux | ||
|
|
||
| ### Step 1.1 - Installation | ||
|
|
||
| Securefs depends on `libfuse2` to run. On Ubuntu 22.04 the package name you need to install is `libfuse2`, but on Ubuntu 24.04 it was renamed to `libfuse2t64`. | ||
|
|
||
| Additionally, you need to install the `unzip` package. | ||
|
|
||
| On Ubuntu 24.04 run the following command to install the required packages: | ||
|
|
||
| ```bash | ||
| sudo apt update && sudo apt install libfuse2t64 unzip | ||
| ``` | ||
|
|
||
| Run the commands below to download and install the latest release of `securefs` system-wide: | ||
|
|
||
| ```bash | ||
| release_zip=$(mktemp) | ||
| curl -fLo "$release_zip" https://github.com/netheril96/securefs/releases/latest/download/securefs-linux-amd64-release.zip \ | ||
| && sudo unzip -d /usr/local/bin "$release_zip" securefs \ | ||
| && sudo chmod 755 /usr/local/bin/securefs | ||
| rm -f "$release_zip" | ||
| ``` | ||
|
|
||
| Now, check that `securefs` is installed properly: | ||
|
|
||
| ```bash | ||
| securefs version | ||
| ``` | ||
|
|
||
| <details> | ||
|
|
||
| <summary>If you see an error.</summary> | ||
|
|
||
| If you see an error like this: | ||
|
|
||
| ``` | ||
| securefs: error while loading shared libraries: libfuse.so.2: cannot open shared object file: No such file or directory | ||
| ``` | ||
|
|
||
| You need to install the `libfuse2` library, which is described above. | ||
|
|
||
| --- | ||
|
|
||
| </details> | ||
|
|
||
| If you need to update `securefs`, repeat [step 1.1](#step-11-installation) again. | ||
|
|
||
| ### Step 1.2 - Using securefs with cloud storage | ||
|
|
||
| First of all, you need to create an encrypted filesystem, where your files will be stored. | ||
|
|
||
| Execute the command below to create a securefs filesystem: | ||
|
|
||
| * Replace `~/Cloud` with a path to the directory which is synced to your cloud storage. This directory should exist. | ||
|
|
||
| * You will be asked for a password, provide a strong one. | ||
|
|
||
| To create a strong password which is easy to remember you can use the [Diceware method](https://theworld.com/~reinhold/diceware.html) with [EFF's word list](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt). | ||
|
|
||
| ```bash | ||
| securefs create ~/Cloud/securefs_backup | ||
| ``` | ||
|
|
||
| > **Note:** | ||
| > To discover available options for the `create` subcommand, run `securefs create --help | less`. | ||
| To work with your files, you need to mount the securefs filesystem created previously. | ||
|
|
||
| Open a new terminal window or tab and execute the following command: | ||
|
|
||
| * `~/Cloud/securefs_backup` is where securefs filesystem resides. Files in this directory are encrypted. | ||
| * `~/backup` is where your unencrypted files will be available for you to work with. | ||
|
|
||
| Replace `~/backup` with any path you like, but this directory should be empty or not exist, when you execute the `mount` subcommand. | ||
| Or you will get an error: "mountpoint is not empty". | ||
|
|
||
| ```bash | ||
| securefs mount ~/Cloud/securefs_backup ~/backup | ||
| ``` | ||
|
|
||
| > **Note:** | ||
| > Your current terminal will be blocked until the filesystem is unmounted. To unmount the filesystem press `Ctrl + C`. Or execute `fusermount -u ~/backup` in another terminal. | ||
| <br> | ||
|
|
||
| > **Note:** | ||
| > You can mount the securefs filesystem in the background, by executing the command below: | ||
| > ```bash | ||
| > securefs mount -b --log ~/.securefs.log ~/Cloud/securefs_backup ~/backup | ||
| > ``` | ||
| > The log file will be stored in your home directory. If you don't specify `--log`, then `securefs mount` will not report any errors and silently fail, if you provided the wrong password, for example. Inspect the log with `less ~/.securefs.log`. | ||
| > | ||
| > To unmount execute: | ||
| > ```bash | ||
| > fusermount -u ~/backup | ||
| > ``` | ||
| To list all securefs filesystem which are currently mounted, you can use the following command: | ||
| ```bash | ||
| df --output=source,target -t fuse.securefs | ||
| ``` | ||
| Now, you can work with your files in the `~/backup` directory. All your changes will be synced to the cloud. Then you can mount the same filesystem on a different device. Simultaneous mounting and file manipulations on multiple devices are not supported though. Before mounting and working with your files on another device, unmount the filesystem on a previous device and sync with the cloud on both devices. | ||
| You can work with your files as usual, for example, create a file for your notes: | ||
| ```bash | ||
| nano ~/backup/notes.txt | ||
| ``` | ||
| Although `~/backup` behaves like a regular directory, it doesn't occupy any space on disk. It's virtual and only presents an unencrypted view of an encrypted filesystem in the `~/Cloud/securefs_backup` directory. | ||
| ### Step 1.3 - Using securefs with rsync | ||
| Instead of using a cloud storage provider you can use your own cloud server to create a remote encrypted backup. | ||
| Read [step 1.2](#step-12-using-securefs-with-cloud-storage) to get the basic idea how to work with securefs. The only difference is that you need to manually sync your changes to the remote server using `rsync`. | ||
| First, create a securefs filesystem as described in [step 1.2](#step-12-using-securefs-with-cloud-storage): | ||
| ```bash | ||
| securefs create ~/securefs_backup | ||
| ``` | ||
| Next, you can mount it in `~/backup`: | ||
| ```bash | ||
| securefs mount ~/securefs_backup ~/backup | ||
| ``` | ||
| Now, you can put your files that you want to backup in `~/backup`. When you're done you can update your remote backup by syncing the `~/securefs_backup` directory to the remote server using `rsync`: | ||
| * **Be careful** when you specify the local and remote directory to sync. | ||
| [`--delete`][rsync_delete] will delete all files in the remote directory that are not present in the local directory. In the example, the `securefs_backup` directory gets synced between the home directories of the local and remote users. | ||
| * [`-r`][rsync_recursive] option is needed to copy nested directories, not just files. | ||
| * [`-t`][rsync_times] option will preserve modification times, which is needed for subsequent syncs to be efficient. | ||
| * Replace `holu` with your username on the remote server, and `10.0.0.1` with its IP address. | ||
| ```bash | ||
| rsync --delete -rt ~/securefs_backup/ [email protected]:securefs_backup/ | ||
| ``` | ||
| [rsync_delete]: https://download.samba.org/pub/rsync/rsync.1#opt--delete | ||
| [rsync_recursive]: https://download.samba.org/pub/rsync/rsync.1#opt--recursive | ||
| [rsync_times]: https://download.samba.org/pub/rsync/rsync.1#opt--times | ||
|
|
||
| ## Step 2 - Installing and using securefs on Windows | ||
|
|
||
| ### Step 2.1 - Installation | ||
|
|
||
| **Installing dependencies** | ||
|
|
||
| To be able to run `securefs`, you need to install two packages: | ||
|
|
||
| * Go to the [latest WinFsp release](https://github.com/winfsp/winfsp/releases/latest). Download the `.msi` file and install it. | ||
| * Download the [latest Microsoft Visual C++ Redistributable](https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist#latest-microsoft-visual-c-redistributable-version) for X64 architecture and install it. | ||
|
|
||
| **Installing securefs on Windows** | ||
|
|
||
| Run the following commands in PowerShell. Add path that is printed in your terminal to your [system `PATH` environment variable](https://community.hetzner.com/tutorials/obfuscating-wireguard-using-wstunnel#step-32---windows-client). | ||
|
|
||
| ```powershell | ||
| curl.exe -fLo "$HOME\securefs.zip" https://github.com/netheril96/securefs/releases/latest/download/securefs-windows-amd64-release.zip | ||
| Expand-Archive "$HOME\securefs.zip" "$HOME\securefs" | ||
| rm "$HOME\securefs.zip" | ||
| echo "$HOME\securefs" | ||
| ``` | ||
|
|
||
| Open a new PowerShell window and run: | ||
|
|
||
| ```bash | ||
| securefs version | ||
| ``` | ||
|
|
||
| to check that `securefs` is installed properly. | ||
|
|
||
| ### Step 2.2 - Using securefs on Windows | ||
|
|
||
| Read [step 1.2 for Linux](#step-12-using-securefs-with-cloud-storage). Everything described there applies to Windows as well, except that background mounting is not supported on Windows. | ||
|
|
||
| You need to create an encrypted filesystem. Open PowerShell and run the following command to create a new filesystem: | ||
|
|
||
| * Replace `Cloud` with a directory that is synced to your cloud storage. It's usually in your user's home directory. This directory should exist. | ||
|
|
||
| ```powershell | ||
| securefs create "$HOME\Cloud\securefs_backup" | ||
| ``` | ||
|
|
||
| Mount the encrypted filesystem to the `backup` directory to be able to work with your files: | ||
|
|
||
| * Replace `backup` with any name you like. This directory should be empty or not exist. | ||
|
|
||
| ```powershell | ||
| securefs mount "$HOME\Cloud\securefs_backup" "$HOME\backup" | ||
| ``` | ||
|
|
||
| As you modify your files in the `~\backup` directory, their encrypted versions will be synced to the cloud. | ||
|
|
||
| ## Conclusion | ||
|
|
||
| Using a securefs filesystem is a good way to ensure that your files are safe, even if you're using a cloud storage provider that you don't trust. Hopefully you know the basics of securefs now. | ||
|
|
||
| To learn more, read the [`usage.md`](https://github.com/netheril96/securefs/blob/master/docs/usage.md) which describes all available commands and options. | ||
|
|
||
| ##### License: MIT | ||
|
|
||
| <!-- | ||
| Contributor's Certificate of Origin | ||
| By making a contribution to this project, I certify that: | ||
| (a) The contribution was created in whole or in part by me and I have | ||
| the right to submit it under the license indicated in the file; or | ||
| (b) The contribution is based upon previous work that, to the best of my | ||
| knowledge, is covered under an appropriate license and I have the | ||
| right under that license to submit that work with modifications, | ||
| whether created in whole or in part by me, under the same license | ||
| (unless I am permitted to submit under a different license), as | ||
| indicated in the file; or | ||
| (c) The contribution was provided directly to me by some other person | ||
| who certified (a), (b) or (c) and I have not modified it. | ||
| (d) I understand and agree that this project and the contribution are | ||
| public and that a record of the contribution (including all personal | ||
| information I submit with it, including my sign-off) is maintained | ||
| indefinitely and may be redistributed consistent with this project | ||
| or the license(s) involved. | ||
| Signed-off-by: wpdevelopment11 [email protected] | ||
| --> |