Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

Encrypting your files in the cloud using securefs

profile picture
Author
wpdevelopment11
Published
2024-12-13
Time to read
9 minutes reading time
Table of Contents

Introduction

If you want to upload your files into cloud storage it's probably a good idea to encrypt your files before you upload them. When you encrypt your files locally you don't need to trust a third-party provider to keep your files safe. Besides the popular cloud storage providers, you can encrypt and upload your files to your own cloud server (probably using rsync, for efficiency) and use it as a remote backup.

Securefs is a FUSE (Filesystem in Userspace). You can mount this filesystem into a directory, like with other filesystems. This directory appears as a regular directory, where you can put and edit your files. But it doesn't really exist on disk, it's virtual. When you write (read) files in that directory they will be automatically encrypted (decrypted). You don't sync this directory with your cloud storage, it's only for you to work with your files. The underlying encrypted filesystem should be synced instead.

There are other programs that are based on the same concept, but have a different implementation. Notable examples are gocryptfs and CryFS. A comparison is available here.

Gocryptfs doesn't support Windows, but a third-party implementation is available. CryFS doesn't provide binaries for Linux. You need to install it using your package manager, which means you can get an outdated version. In summary, only securefs supports Windows and Linux and provides binaries for both of them.

There is a feature called reverse mode which allows you to create an encrypted view of your unencrypted directory without storing an encrypted copy on disk. This is useful, for example, if you want to store your files locally unencrypted, but want to encrypt them before syncing to the remote destination. This feature is only supported by gocryptfs.

Prerequisites

  • A user with sudo privileges.
  • AMD64 architecture, the binary for Arm64 is not available.
  • A directory that is synced to your cloud storage

Example terminology

  • Synced directory: ~/Cloud

Usually when you're using a cloud storage provider you have a special folder which is automatically synced to the cloud and vice versa. Replace the example directory name with your own.

Step 1 - Installing and using securefs on Linux

Step 1.1 - Installation

Securefs depends on libfuse2 to run. On Ubuntu 22.04 the package name you need to install is libfuse2, but on Ubuntu 24.04 it was renamed to libfuse2t64.

Additionally, you need to install the unzip package.

On Ubuntu 24.04 run the following command to install the required packages:

sudo apt update && sudo apt install libfuse2t64 unzip

Run the commands below to download and install the latest release of securefs system-wide:

release_zip=$(mktemp)
curl -fLo "$release_zip" https://github.com/netheril96/securefs/releases/latest/download/securefs-linux-amd64-release.zip \
&& sudo unzip -d /usr/local/bin "$release_zip" securefs \
&& sudo chmod 755 /usr/local/bin/securefs
rm -f "$release_zip"

Now, check that securefs is installed properly:

securefs version
If you see an error.

If you see an error like this:

securefs: error while loading shared libraries: libfuse.so.2: cannot open shared object file: No such file or directory

You need to install the libfuse2 library, which is described above.

If you need to update securefs, repeat step 1.1 again.

Step 1.2 - Using securefs with cloud storage

First of all, you need to create an encrypted filesystem, where your files will be stored.

Execute the command below to create a securefs filesystem:

  • Replace ~/Cloud with a path to the directory which is synced to your cloud storage. This directory should exist.

  • You will be asked for a password, provide a strong one.

    To create a strong password which is easy to remember you can use the Diceware method with EFF's word list.

securefs create ~/Cloud/securefs_backup

Note: To discover available options for the create subcommand, run securefs create --help | less.

To work with your files, you need to mount the securefs filesystem created previously.

Open a new terminal window or tab and execute the following command:

  • ~/Cloud/securefs_backup is where securefs filesystem resides. Files in this directory are encrypted.

  • ~/backup is where your unencrypted files will be available for you to work with.

    Replace ~/backup with any path you like, but this directory should be empty or not exist, when you execute the mount subcommand. Or you will get an error: "mountpoint is not empty".

securefs mount ~/Cloud/securefs_backup ~/backup

Note: Your current terminal will be blocked until the filesystem is unmounted. To unmount the filesystem press Ctrl + C. Or execute fusermount -u ~/backup in another terminal.


Note: You can mount the securefs filesystem in the background, by executing the command below:

securefs mount -b --log ~/.securefs.log ~/Cloud/securefs_backup ~/backup

The log file will be stored in your home directory. If you don't specify --log, then securefs mount will not report any errors and silently fail, if you provided the wrong password, for example. Inspect the log with less ~/.securefs.log.

To unmount execute:

fusermount -u ~/backup

To list all securefs filesystem which are currently mounted, you can use the following command:

df --output=source,target -t fuse.securefs

Now, you can work with your files in the ~/backup directory. All your changes will be synced to the cloud. Then you can mount the same filesystem on a different device. Simultaneous mounting and file manipulations on multiple devices are not supported though. Before mounting and working with your files on another device, unmount the filesystem on a previous device and sync with the cloud on both devices.

You can work with your files as usual, for example, create a file for your notes:

nano ~/backup/notes.txt

Although ~/backup behaves like a regular directory, it doesn't occupy any space on disk. It's virtual and only presents an unencrypted view of an encrypted filesystem in the ~/Cloud/securefs_backup directory.

Step 1.3 - Using securefs with rsync

Instead of using a cloud storage provider you can use your own cloud server to create a remote encrypted backup.

Read step 1.2 to get the basic idea how to work with securefs. The only difference is that you need to manually sync your changes to the remote server using rsync.

First, create a securefs filesystem as described in step 1.2:

securefs create ~/securefs_backup

Next, you can mount it in ~/backup:

securefs mount ~/securefs_backup ~/backup

Now, you can put your files that you want to backup in ~/backup. When you're done you can update your remote backup by syncing the ~/securefs_backup directory to the remote server using rsync:

  • Be careful when you specify the local and remote directory to sync. --delete will delete all files in the remote directory that are not present in the local directory. In the example, the securefs_backup directory gets synced between the home directories of the local and remote users.
  • -r option is needed to copy nested directories, not just files.
  • -t option will preserve modification times, which is needed for subsequent syncs to be efficient.
  • Replace holu with your username on the remote server, and 10.0.0.1 with its IP address.
rsync --delete -rt ~/securefs_backup/ holu@10.0.0.1:securefs_backup/

Step 2 - Installing and using securefs on Windows

Step 2.1 - Installation

Installing dependencies

To be able to run securefs, you need to install two packages:

Installing securefs on Windows

Run the following commands in PowerShell. Add path that is printed in your terminal to your system PATH environment variable.

curl.exe -fLo "$HOME\securefs.zip" https://github.com/netheril96/securefs/releases/latest/download/securefs-windows-amd64-release.zip
Expand-Archive "$HOME\securefs.zip" "$HOME\securefs"
rm "$HOME\securefs.zip"
echo "$HOME\securefs"

Open a new PowerShell window and run:

securefs version

to check that securefs is installed properly.

Step 2.2 - Using securefs on Windows

Read step 1.2 for Linux. Everything described there applies to Windows as well, except that background mounting is not supported on Windows.

You need to create an encrypted filesystem. Open PowerShell and run the following command to create a new filesystem:

  • Replace Cloud with a directory that is synced to your cloud storage. It's usually in your user's home directory. This directory should exist.
securefs create "$HOME\Cloud\securefs_backup"

Mount the encrypted filesystem to the backup directory to be able to work with your files:

  • Replace backup with any name you like. This directory should be empty or not exist.
securefs mount "$HOME\Cloud\securefs_backup" "$HOME\backup"

As you modify your files in the ~\backup directory, their encrypted versions will be synced to the cloud.

Conclusion

Using a securefs filesystem is a good way to ensure that your files are safe, even if you're using a cloud storage provider that you don't trust. Hopefully you know the basics of securefs now.

To learn more, read the usage.md which describes all available commands and options.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue
Try Hetzner Cloud

Get €20/$20 free credit!

Valid until: 31 December 2025 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue