Introduction
If you want to upload your files into cloud storage it's probably a good idea to encrypt your files before you upload them. When you encrypt your files locally you don't need to trust a third-party provider to keep your files safe. Besides the popular cloud storage providers, you can encrypt and upload your files to your own cloud server (probably using rsync, for efficiency) and use it as a remote backup.
Securefs is a FUSE (Filesystem in Userspace). You can mount this filesystem into a directory, like with other filesystems. This directory appears as a regular directory, where you can put and edit your files. But it doesn't really exist on disk, it's virtual. When you write (read) files in that directory they will be automatically encrypted (decrypted). You don't sync this directory with your cloud storage, it's only for you to work with your files. The underlying encrypted filesystem should be synced instead.
There are other programs that are based on the same concept, but have a different implementation. Notable examples are gocryptfs and CryFS. A comparison is available here.
Gocryptfs doesn't support Windows, but a third-party implementation is available. CryFS doesn't provide binaries for Linux. You need to install it using your package manager, which means you can get an outdated version. In summary, only securefs supports Windows and Linux and provides binaries for both of them.
There is a feature called reverse mode which allows you to create an encrypted view of your unencrypted directory without storing an encrypted copy on disk. This is useful, for example, if you want to store your files locally unencrypted, but want to encrypt them before syncing to the remote destination. This feature is only supported by gocryptfs.
Prerequisites
- A user with sudo privileges.
- AMD64 architecture, the binary for Arm64 is not available.
- A directory that is synced to your cloud storage
Example terminology
- Synced directory:
~/Cloud
Usually when you're using a cloud storage provider you have a special folder which is automatically synced to the cloud and vice versa. Replace the example directory name with your own.
Step 1 - Installing and using securefs on Linux
Step 1.1 - Installation
Securefs depends on libfuse2
to run. On Ubuntu 22.04 the package name you need to install is libfuse2
, but on Ubuntu 24.04 it was renamed to libfuse2t64
.
Additionally, you need to install the unzip
package.
On Ubuntu 24.04 run the following command to install the required packages:
sudo apt update && sudo apt install libfuse2t64 unzip
Run the commands below to download and install the latest release of securefs
system-wide:
release_zip=$(mktemp)
curl -fLo "$release_zip" https://github.com/netheril96/securefs/releases/latest/download/securefs-linux-amd64-release.zip \
&& sudo unzip -d /usr/local/bin "$release_zip" securefs \
&& sudo chmod 755 /usr/local/bin/securefs
rm -f "$release_zip"
Now, check that securefs
is installed properly:
securefs version
If you see an error.
If you see an error like this:
securefs: error while loading shared libraries: libfuse.so.2: cannot open shared object file: No such file or directory
You need to install the libfuse2
library, which is described above.
If you need to update securefs
, repeat step 1.1 again.
Step 1.2 - Using securefs with cloud storage
First of all, you need to create an encrypted filesystem, where your files will be stored.
Execute the command below to create a securefs filesystem:
-
Replace
~/Cloud
with a path to the directory which is synced to your cloud storage. This directory should exist. -
You will be asked for a password, provide a strong one.
To create a strong password which is easy to remember you can use the Diceware method with EFF's word list.
securefs create ~/Cloud/securefs_backup
Note: To discover available options for the
create
subcommand, runsecurefs create --help | less
.
To work with your files, you need to mount the securefs filesystem created previously.
Open a new terminal window or tab and execute the following command:
-
~/Cloud/securefs_backup
is where securefs filesystem resides. Files in this directory are encrypted. -
~/backup
is where your unencrypted files will be available for you to work with.Replace
~/backup
with any path you like, but this directory should be empty or not exist, when you execute themount
subcommand. Or you will get an error: "mountpoint is not empty".
securefs mount ~/Cloud/securefs_backup ~/backup
Note: Your current terminal will be blocked until the filesystem is unmounted. To unmount the filesystem press
Ctrl + C
. Or executefusermount -u ~/backup
in another terminal.
Note: You can mount the securefs filesystem in the background, by executing the command below:
securefs mount -b --log ~/.securefs.log ~/Cloud/securefs_backup ~/backup
The log file will be stored in your home directory. If you don't specify
--log
, thensecurefs mount
will not report any errors and silently fail, if you provided the wrong password, for example. Inspect the log withless ~/.securefs.log
.To unmount execute:
fusermount -u ~/backup
To list all securefs filesystem which are currently mounted, you can use the following command:
df --output=source,target -t fuse.securefs
Now, you can work with your files in the ~/backup
directory. All your changes will be synced to the cloud. Then you can mount the same filesystem on a different device. Simultaneous mounting and file manipulations on multiple devices are not supported though. Before mounting and working with your files on another device, unmount the filesystem on a previous device and sync with the cloud on both devices.
You can work with your files as usual, for example, create a file for your notes:
nano ~/backup/notes.txt
Although ~/backup
behaves like a regular directory, it doesn't occupy any space on disk. It's virtual and only presents an unencrypted view of an encrypted filesystem in the ~/Cloud/securefs_backup
directory.
Step 1.3 - Using securefs with rsync
Instead of using a cloud storage provider you can use your own cloud server to create a remote encrypted backup.
Read step 1.2 to get the basic idea how to work with securefs. The only difference is that you need to manually sync your changes to the remote server using rsync
.
First, create a securefs filesystem as described in step 1.2:
securefs create ~/securefs_backup
Next, you can mount it in ~/backup
:
securefs mount ~/securefs_backup ~/backup
Now, you can put your files that you want to backup in ~/backup
. When you're done you can update your remote backup by syncing the ~/securefs_backup
directory to the remote server using rsync
:
- Be careful when you specify the local and remote directory to sync.
--delete
will delete all files in the remote directory that are not present in the local directory. In the example, thesecurefs_backup
directory gets synced between the home directories of the local and remote users. -r
option is needed to copy nested directories, not just files.-t
option will preserve modification times, which is needed for subsequent syncs to be efficient.- Replace
holu
with your username on the remote server, and10.0.0.1
with its IP address.
rsync --delete -rt ~/securefs_backup/ holu@10.0.0.1:securefs_backup/
Step 2 - Installing and using securefs on Windows
Step 2.1 - Installation
Installing dependencies
To be able to run securefs
, you need to install two packages:
- Go to the latest WinFsp release. Download the
.msi
file and install it. - Download the latest Microsoft Visual C++ Redistributable for X64 architecture and install it.
Installing securefs on Windows
Run the following commands in PowerShell. Add path that is printed in your terminal to your system PATH
environment variable.
curl.exe -fLo "$HOME\securefs.zip" https://github.com/netheril96/securefs/releases/latest/download/securefs-windows-amd64-release.zip
Expand-Archive "$HOME\securefs.zip" "$HOME\securefs"
rm "$HOME\securefs.zip"
echo "$HOME\securefs"
Open a new PowerShell window and run:
securefs version
to check that securefs
is installed properly.
Step 2.2 - Using securefs on Windows
Read step 1.2 for Linux. Everything described there applies to Windows as well, except that background mounting is not supported on Windows.
You need to create an encrypted filesystem. Open PowerShell and run the following command to create a new filesystem:
- Replace
Cloud
with a directory that is synced to your cloud storage. It's usually in your user's home directory. This directory should exist.
securefs create "$HOME\Cloud\securefs_backup"
Mount the encrypted filesystem to the backup
directory to be able to work with your files:
- Replace
backup
with any name you like. This directory should be empty or not exist.
securefs mount "$HOME\Cloud\securefs_backup" "$HOME\backup"
As you modify your files in the ~\backup
directory, their encrypted versions will be synced to the cloud.
Conclusion
Using a securefs filesystem is a good way to ensure that your files are safe, even if you're using a cloud storage provider that you don't trust. Hopefully you know the basics of securefs now.
To learn more, read the usage.md
which describes all available commands and options.