Introduction
If you want to upload your files into cloud storage it's probably a good idea to encrypt your files before you upload them. When you encrypt your files locally you don't need to trust a third-party provider to keep your files safe. Besides the popular cloud storage providers, you can encrypt and upload your files to your own cloud server (probably using rsync, for efficiency) and use it as a remote backup.
Securefs is a FUSE (Filesystem in Userspace). You can mount this filesystem into a directory, like with other filesystems. This directory appears as a regular directory, where you can put and edit your files. But it doesn't really exist on disk, it's virtual. When you write (read) files in that directory they will be automatically encrypted (decrypted). You don't sync this directory with your cloud storage, it's only for you to work with your files. The underlying encrypted filesystem should be synced instead.
There are other programs that are based on the same concept, but have a different implementation. Notable examples are gocryptfs and CryFS. A comparison is available here.
Gocryptfs doesn't support Windows, but a third-party implementation is available. CryFS doesn't provide binaries for Linux. You need to install it using your package manager, which means you can get an outdated version. In summary, only securefs supports Windows and Linux and provides binaries for both of them.
There is a feature called reverse mode which allows you to create an encrypted view of your unencrypted directory without storing an encrypted copy on disk. This is useful, for example, if you want to store your files locally unencrypted, but want to encrypt them before syncing to the remote destination. This feature is only supported by gocryptfs.
Prerequisites
- A user with sudo privileges.
- AMD64 or Arm64 architecture on Linux. AMD64 on Windows.
- A directory that is synced to your cloud storage
Example terminology
- Synced directory:
~/Cloud
Usually when you're using a cloud storage provider you have a special folder which is automatically synced to the cloud and vice versa. Replace the example directory name with your own.
Step 1 - Installing and using securefs on Linux
You can choose between two installation methods on Linux.
The first option is to install the securefs executable and its dependencies separately.
The second option is to install the statically linked securefs executable with all dependencies included, which can be easier on some systems.
Step 1.1 - Installing securefs and its dependencies
Securefs depends on libfuse2 to run. On Ubuntu 22.04 the package name you need to install is libfuse2, but on Ubuntu 24.04 it was renamed to libfuse2t64.
Additionally, you need to install the unzip package.
On Ubuntu 24.04 run the following command to install the required packages:
sudo apt update && sudo apt install libfuse2t64 unzipGo to the latest release and choose the archive for your system and architecture. Extract it and add it to your PATH environment variable.
Or follow the steps below for an automated install.
Copy and paste the following code to your terminal:
This will define a shell function that will be used to install
securefs.
install_securefs() {
local bin
if [[ "$1" == "static" ]]; then
bin="-musl-static"
fi
local arch
case "$(uname -m)" in
'x86_64')
arch="amd64"
;;
'aarch64')
arch="arm64"
;;
*)
echo "Unknown architecture!" >&2
return 1
;;
esac
local release_zip=$(mktemp)
curl -fLo "$release_zip" "https://github.com/netheril96/securefs/releases/latest/download/securefs-linux-${arch}${bin}-release.zip" \
&& sudo unzip -d /usr/local/bin "$release_zip" securefs \
&& sudo chmod 755 /usr/local/bin/securefs
rm -f "$release_zip"
}Run the command to install securefs:
install_securefsNow, check that securefs is installed properly:
securefs versionIf you see an error.
If you see an error like this:
securefs: error while loading shared libraries: libfuse.so.2: cannot open shared object file: No such file or directoryYou need to install the libfuse2 library, which is described above.
If you need to update securefs, repeat step 1.1 again.
Step 1.2 - Installing statically linked securefs (Optional)
Copy the shell function from a previous step and paste it to your terminal.
Pass the argument static, to install the statically linked securefs executable:
install_securefs staticCheck that it works:
securefs versionStep 1.3 - Using securefs with cloud storage
First of all, you need to create an encrypted filesystem, where your files will be stored.
Execute the command below to create a securefs filesystem:
-
Replace
~/Cloudwith a path to the directory which is synced to your cloud storage. This directory should exist. -
You will be asked for a password, provide a strong one.
To create a strong password which is easy to remember you can use the Diceware method with EFF's word list.
securefs create ~/Cloud/securefs_backupNote: To discover available options for the
createsubcommand, runsecurefs create --help | less.
To work with your files, you need to mount the securefs filesystem created previously.
Open a new terminal window or tab and execute the following command:
-
~/Cloud/securefs_backupis where securefs filesystem resides. Files in this directory are encrypted. -
~/backupis where your unencrypted files will be available for you to work with.Replace
~/backupwith any path you like, but this directory should be empty or not exist, when you execute themountsubcommand. Or you will get an error: "mountpoint is not empty".
securefs mount ~/Cloud/securefs_backup ~/backupNote: Your current terminal will be blocked until the filesystem is unmounted. To unmount the filesystem press
Ctrl + C. Or executefusermount -u ~/backupin another terminal.
Note: You can mount the securefs filesystem in the background, by executing the command below:
securefs mount -b --log ~/.securefs.log ~/Cloud/securefs_backup ~/backupThe log file will be stored in your home directory. If you don't specify
--log, thensecurefs mountwill not report any errors and silently fail, if you provided the wrong password, for example. Inspect the log withless ~/.securefs.log.To unmount execute:
fusermount -u ~/backup
To list all securefs filesystem which are currently mounted, you can use the following command:
df --output=source,target -t fuse.securefsNow, you can work with your files in the ~/backup directory. All your changes will be synced to the cloud. Then you can mount the same filesystem on a different device. Simultaneous mounting and file manipulations on multiple devices are not supported though. Before mounting and working with your files on another device, unmount the filesystem on a previous device and sync with the cloud on both devices.
You can work with your files as usual, for example, create a file for your notes:
nano ~/backup/notes.txtAlthough ~/backup behaves like a regular directory, it doesn't occupy any space on disk. It's virtual and only presents an unencrypted view of an encrypted filesystem in the ~/Cloud/securefs_backup directory.
Step 1.4 - Using securefs with rsync
Instead of using a cloud storage provider you can use your own cloud server to create a remote encrypted backup.
Read step 1.3 to get the basic idea how to work with securefs. The only difference is that you need to manually sync your changes to the remote server using rsync.
First, create a securefs filesystem as described in step 1.3:
securefs create ~/securefs_backupNext, you can mount it in ~/backup:
securefs mount ~/securefs_backup ~/backupNow, you can put your files that you want to backup in ~/backup. When you're done you can update your remote backup by syncing the ~/securefs_backup directory to the remote server using rsync:
- Be careful when you specify the local and remote directory to sync.
--deletewill delete all files in the remote directory that are not present in the local directory. In the example, thesecurefs_backupdirectory gets synced between the home directories of the local and remote users. -roption is needed to copy nested directories, not just files.-toption will preserve modification times, which is needed for subsequent syncs to be efficient.- Replace
holuwith your username on the remote server, and10.0.0.1with its IP address.
rsync --delete -rt ~/securefs_backup/ holu@10.0.0.1:securefs_backup/Step 2 - Installing and using securefs on Windows
Step 2.1 - Installation
Installing dependencies
To be able to run securefs, you need to install two packages:
- Go to the latest WinFsp release. Download the
.msifile and install it. - Download the latest Microsoft Visual C++ Redistributable for X64 architecture and install it.
Installing securefs on Windows
Run the following commands in PowerShell. Add path that is printed in your terminal to your system PATH environment variable.
curl.exe -fLo "$HOME\securefs.zip" https://github.com/netheril96/securefs/releases/latest/download/securefs-windows-amd64-release.zip
Expand-Archive "$HOME\securefs.zip" "$HOME\securefs"
rm "$HOME\securefs.zip"
echo "$HOME\securefs"Open a new PowerShell window and run:
securefs versionto check that securefs is installed properly.
Step 2.2 - Using securefs on Windows
Read step 1.3 for Linux. Everything described there applies to Windows as well, except that background mounting is not supported on Windows.
You need to create an encrypted filesystem. Open PowerShell and run the following command to create a new filesystem:
- Replace
Cloudwith a directory that is synced to your cloud storage. It's usually in your user's home directory. This directory should exist.
securefs create "$HOME\Cloud\securefs_backup"Mount the encrypted filesystem to the backup directory to be able to work with your files:
- Replace
backupwith any name you like. This directory should be empty or not exist.
securefs mount "$HOME\Cloud\securefs_backup" "$HOME\backup"As you modify your files in the ~\backup directory, their encrypted versions will be synced to the cloud.
Conclusion
Using a securefs filesystem is a good way to ensure that your files are safe, even if you're using a cloud storage provider that you don't trust. Hopefully you know the basics of securefs now.
To learn more, read the usage.md which describes all available commands and options.