Encypting folders in OS X with encfs

encfs is a user level file system that provides encryption of files. It’s not the strongest form of encryption, so I would not suggest using it if you need very high security. It works with Fuse to allow mounting encrypted folders as if they were a remote drive. The result is an easy to use method of creating a space to store sensitive data, but without creating a monolithic disk image that has to be backed up in it’s entirety every time it gets touched. I had been using an encrypted disk image for this for a few years now, and the load on Time Machine or, in my case, Crash Plan, is pretty high. Also, this system will allow you to create an encrypted space in dropbox or other cloud storage system.

First, some caveats. If you do this and lose your password, you lose access to the encrypted files. Period. No ifs, ands, or butts. I strongly suggest that you also make an unecrypted copy of these files on a DVD or external drive that you can physically secure and do so on a regular basis. Finally, I can’t really say whether doing this is better or worse than other approaches, but it seems to be a good idea to me.


I used to use OSXFuse on github to get fuse, but since I’ve started using Brew, I just use that to install encfs, and that installs fuse as a dependency. If you use brew, I do recommend running and managing it from an account other than your primary login, since that will help prevent badness from happening by accident.

To make encrypted folders, you run encfs with a directory for the storage of the encrypted files, and a directory to use as a mount point. For example:

mkdir ~/Crypt
encfs /Users/hays/.Crypt /Users/hays/Crypt

will make an encrypted folder that can be mounted to ~/Crypt as a fuse drive. In a shell, that folder will ~/Crypt, but in Finder, it will appear as OSXFUSE volume 0 (encfs) in that same dir. If you drag that folder to the Finder’s sidebar, it will reappear there each time you mount the encrypted volume.

You may find this a little confusing at first–the key thing to remember is that any files that you place directly in the .Crypt folder will not be encrypted–the encryption occurs when you put files and folder into the mounted FUSE volume, and the encrypted files are stored in the .Crypt folder.

encfs -i 20 /Users/hays/.Crypt /Users/hays/Crypt

You’ll be prompted for a password, eh voilà!

Examples of Uses

I used encfs to store files in cloud storage like Dropbox. This works well, but you need to create your encrypted storage inside the cloud drive, and create the mount point outside of the cloud storage–if you create the mount point inside the cloud folder, when you mount the encrypted folder, the cloud app will see that as a new folder, and will sync those files to the cloud.

Another thing I use encfs for is to securely store my ssh keys. If you use .ssh as a mount point, you can mount a folder containing your encrypted keys. When you mount that folder to .ssh, the keys are available. Dismount, and they are encrypted.

Again, I want to stress that it is important to keep backups of whatever data you encypt in this manner–a while ago I spent about an hour in a cold sweat trying to remember my password for an encypted disk image that contained my tax data.

This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s