Few days ago I posted an article on my blog about using some kind of cryptographic system to protect my files on the cloud. I pointed to encfs as a long time user with some caviats and I wanted to substitute it with another more robust and secure system.
Easy to use (productivity wise) and system desktop integration are bonus points, so as an archlinux (antergos) user with kde and ubuntu user with gnome desktop I need some crypto that allows me to put some crypted file on the cloud (nextcloud, dropbox, ...) and keep it synced on all my computers.
As I wrote on the article, I read this comparison table to find out what to use.
encfs has been around here for so long, but has some minor problem that affects to cloud files. Nowdays is mantained but no longer developed. It's audited though.
cryfs was my first choice because using kde desktop it integrates really nicely with kde-vaults, so I just had to make it work on ubuntu. Here comes the problem because ubuntu's 18.04 cryfs current version is 0.9.9 AND archlinux's version is 0.10.0, and files are no backwards compatible (as I previously posted).
I could compile from source and forget the problem, but I prefer to keep this packages updated from a stable repo and with known default config.
So I decide to keep using encfs even knowing its problems (I think is enough to my purpose).
Fediverse comes to help
Long story short, I read the gocryptfs website documentation, the man pages from the package and I saw something that I notice it could be useful: you can pipeline the gocryptfs password from another shell script or "program" to the gocryptfs prompt, so I imagined an scenario where I could benefit from using password-store (gpg crypted password storing system) and send the result to gocryptfs.
Final Config (so far)
So I got the gocryptfs crypted storage password from my password-store and send it to gocryptfs script to mount the volume.
$ pass /path/to/gocryptfs_password
will prompt for your gpg key password you are using to secure your passwords
$ gocryptfs -extpass "pass /path/to/gocryptfs_password" ~/your_cloud/crypted_folder ~/Personal_clear_data
will equally prompt for you gpg password and send it to gocryptfs and then it automatically mount this "~/Personal_clear_data" folder on your home folder.
You then could use a long and secure password that you dont need to remember and just write your gpg password (that should be secure enough and DO NOT may want to store on your system (kde-wallet, seahorse, ...)
The next step is
Create an Alias
Alias are short names for shell comands.
~/.bashrc file adding
alias mountCFS='gocryptfs -extpass "pass /path/to/gocryptfs_password" ~/your_cloud/crypted_folder ~/Personal_clear_data && dolphin ~/Personal_clear_data'
This part opens this folder on dolphin, KDE's default file manager. You may use your own or ask for system's default (on kde) with
kfmclient exec ~/Personal_clear_data
$ source ~/.bashrc
Now just writing on a shell
will ask for your gpg password, mount the file system and open dolphin on this folder. You have autocomplete available on the shell, so using a good alias name (diferent from any other command) you may just write "mo" and then hit "tab" will complete the command.
Mount file system alternatives
- create desktop shortcut for the command
- use your desktop shortcut launcher (alt+f2 on KDE)
- using sirikali on both desktops
- create a /etc/fstab entry to mount on system start up (not recomended)
you should choose the option that you feel more comfortable with. Any sugestion? Please tell me ;-)
when you've finished working on your files you should unmount the Personal-clear-data volume. You will create another alias for this task.
alias umountCFS='fusermount -u ~/Personal_clear_data'
As usual I'll apreciate any sugestion or correction to this article and I'll try to answer any question you have. Please, help me to solve any grammar mistake I'd made on this article.
- How to encrypt files with gocryptfs on Linux with some insights of this system and possible caveats.