Why another implementation of EncFS?
There are other implementations of EncFS, but all of them have serious drawbacks:
- The orignal EncFS only exists on Linux
- The Windows port encfs4win is marked as experimental, and the GUI could be improved. Furthermore, encfs4win uses Dokan for mounting a file system, and Dokan has not been updated in 3 years while still having multiple issues.
- There are ports of EncFS to OS X (see here and here), but none of them are easy to install, and they don't have GUIs
- BoxCryptor is a commercial software with a free version. The free version only supports a single volume. Volumes created by BoxCryptor classic can be read by EncFS clients, but BoxCryptor classic does not support all features of EncFS. The newer versions of BoxCryptor (non-classic) are incompatible to EncFS.
What are the limitations of EncFSMP?
Compared to other implementations/ports of EncFS, the limitations of EncFSMP are:
- Links (hard/soft links) are not supported
- Only very limited access control is supported. In general, a file can only be read-only or not.
- On Windows, ACLs are not supported, the "Archive", "System" and "Hidden" flags are not supported
- On OS X, the "Unchangeable flag" is supported and is mapped to file modes (chmod). That means, if you protect a file via the finder, implicitly also the file modes are changed. Also, if you issue "chmod u-w file", it is also protected (the unchangeable flag is set).
- Only one file and directory date is stored, the last modification date. The last access date and the creation date are not stored, the last modification date is used instead.
How is EncFS different from TrueCrypt and other disk-encryption software?
TrueCrypt encrypts whole partitions, or creates encrypted containers for disk partitions in a single file. That means, you have to decide how big the partition/file will be before you can use it, and it can't be changed easily later. EncFS folders on the other hand only take up as much space as they need and grow when new files are added.
EncFS however can't encrypt whole partitions, for example the boot partition.
How secure is EncFSMP?
Here we have to differentiate between EncFS (the way how files stored in a EncFS folder are encrypted) and EncFSMP (this program).
The data stored in EncFS folders with EncFSMP are pretty safe in the most common usage scenario: Your computer is not compromised by viruses/keyloggers/backdoors, and the password is not known to the attacker.
For a discussion on the security of EncFS, please see this security audit. The bottom line of the audit (as I understand it) is that files stored in EncFS are safe, with two exceptions:
- When a single file is updated many times, and an attacker has access to many encrypted versions of this file, it might be easier to crack the password
- The encrypted version of a directory reveals the amount of files and the approximate file sizes
EncFSMP does not protect itself very well from attackers on the same computer. This means that the password of an EncFS folder can appear in the paging file or in the hibernation file, and it is visible by a debugger. In my opinion, if your computer is compromised, any security measures are futile.
EncFSMP allows the user to store the password of an EncFS folder on
If you select this option, the password can be read by anyone with physical access to this computer. Therefore I recommend to use a password management program like KeePass.
Why is accessing an EncFS folder so slow?
There are different aspects to this, and different reasons.
- Accessing a file (reading or writing) is slightly slower than on a regular file system because of the encryption/decryption involved. When the computer is fast, this should not make a big difference.
- Opening a directory (via Windows explorer, for example) is slower than a normal file system.
- File deletion: File deletion is very slow, because of the way EncFSMP handles file deletions: The file is first renamed, and only later physically deleted. It is implemented this way because of a requirement from PFM, in order to be able to "undo" a deletion.
- File or directory renaming: Depending on the settings of the EncFS folder ("Chained IV" and/or "External IV" enabled), renaming is very slow. When a directory is renamed, all children (directories and files within the renamed directory) have to be renamed as well.
Tips for increasing the speed while accessing EncFS folders
Especially when the encrypted EncFS folder lies on a network share, accessing an EncFS folder via EncFSMP can be slow. Here are some tips to increase the speed:
- Use different settings: Instead of using the standard settings, switch off "Chained IV" and "Unique IV" when creating an EncFS folder.
- Windows-only: Disable Thumbnail generation. When opening a folder with Windows Explorer, all media files (images, videos) are opened to generate thumbnail. On network shares, this can be very slow. Thumbnail generation can be disabled in the Group Policy Editor (not available in all Windows editions). Open gpedit.msc as Administrator, go to User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer and enable the setting "Turn off the display of thumbnails and only display icons on network folders". See also the following web page: How to tell Windows Explorer not to request file details and thumbnails in certain folder?
- Disable Anti-Virus programs temporarily or selectively. Although it is not recommended, disabling Anti-Virus software might also increase the speed of EncFS folders. When accessing encrypted files, the Anti-Virus program has to scan both the encrypted and the unencrypted version.
As usual, you are making these changes at your own risk. Only apply those changes when you know what you're doing.
EncFSMP does not seem to work on OS X 10.10 Yosemite/10.11 El Capitan
Please update to the newest version of EncFSMP, and also install the bundled PFM. This PFM version is signed with an Apple developer ID and works therefore without the workarounds described below.
For historical reasons, I am leaving these workarounds in this list
for the time being:
Apple has decided to make kernel extension signing mandatory starting with OS X 10.10 Yosemite. Since the PFM (PismoTech File Mount) kernel extension which is used by EncFSMP is not signed, EncFS folders can't be mounted on OS X 10.10.
For OS X 10.10, there is a workaround described here: How can I disable kext signing in Mac OS X 10.10 Yosemite?
Here's my summary of the procedure:
- Open a terminal window. Check whether the boot-arg variable is
- f no ("nvram: Error getting variable - 'boot-args':
(iokit/common) data was not found"), issue the command:
sudo nvram boot-args=kext-dev-mode=1
If yes, add the previous settings like this:
sudo nvram boot-args=kext-dev-mode=1,previous-setting=value
Reboot afterwards to activate the setting.
To delete the setting:
sudo nvram -d boot-args
For OS X 10.11 El Capitan, the previous procedure does not seem to work. Instead, perform the following steps (thanks for user A. Scheblein for pointing it out to me):
- Reboot into recovery mode (hold command-R during boot)
- Go to utilities and select terminal
- Type "csrutil disable; reboot"
The system will reboot and then you can proceed with running the PFM install script and dragging the EncFSMP application to the applications folder.
You are making these changes at your own risk. Only apply those changes when you know what you're doing.
I can't open PDF files with Acrobat Reader (permission denied/access denied)
Acrobat Reader has a new "protected mode", which does all kinds of strange things with the drive which are not supported by PFM and EncFSMP. You have the following options:
- Disable protected mode
- Use another PDF reader
- Copy the PDF files from the EncFSMP folder to another drive, like C:\ and open them from there
Is there a portable version of EncFSMP?
The core application EncFSMP can be run without installation. The
filesystem component (Pismo File Mount) however requires an
installation. That means, with the "portable" version it is not
possible to mount encfs folders. It is possible to export them via
the Export menu.
I don't release a portable version of EncFSMP, since this is a too serious limitation, and EncFSMP still writes its settings to the registry.
All applications which are similar to EncFSMP need to be installed because of the file system drivers. There is one exception which uses the workaround via a WebDAV server: The application called "Safe", see the homepage here.