EncFS provides an encrypted virtual filesystem. It runs in userspace, using the FUSE library. EncFS is open source software, licensed under the LGPL.
EncFS was first released in 2003, making it one of the earlier FUSE filesystems! At the time, there were few options available for Linux, and the kernel modules that were available had not kept pace with Linux development. This meant that every kernel upgrade was likely to break the filesystem until the module was updated. When FUSE became available, I wrote a CFS replacement for my own use and released it to Open Source.
EncFS encrypts individual files, by translating all requests for the virtual EncFS filesystem into the equivalent encrypted operations on the raw filesystem.
For more info, see:
- The technical overview in DESIGN.md
If you're considering setting up a new encrypted filesystem, I'd recommend looking into newer alternatives, such as the excellent GoCryptFS, or else use full-disk encryption when possible.
Data has a long lifespan, and people still have data that was encrypted with EncFS. This project has been mostly dormant for years. I've recently begun porting EncFS to Rust as a way to learn Rust, which turned out to be easier than I'd expected with the help of modern-day developer tooling.
The old C++ code has been removed. The code can be found in old branches, or old releases, but is not being maintained.
EncFS was a mature program, so while the new implementation is already functional it is still considered a alpha release, and I would always have a separate backup for anything stored in it.
Overall status
- Core
- Read operations
- Basic write operations
- Truncate w/ holes
- Improvements
- new tamper-safe configuration file (v7 config)
- support for a new key derivation function (Argon2id)
- new block encryption mode (aes-gcm-siv)
- Extended features
- reverse encryption mode
- Multi-language
- basic multi-language support
- translations beyond auto-generated FR and DE strings
Use encfsctl passwd --upgrade <rootdir> to convert an existing filesystem to the V7 config format and switch to the Argon2id key-derivation function. You will be prompted for the current password and a new one. The tool writes a new .encfs7 file; the old config file is left in place. Ensure the volume is not mounted when upgrading.
For scripted or non-interactive setup, use encfsctl new --stdinpass or --extpass <program>, and encfs -S or --extpass for mounting.
1. Create a new EncFS config in the directory that will hold the encrypted files. This creates a V7 config (e.g. .encfs7) and prompts for a password:
mkdir -p ~/encrypted
encfsctl new ~/encrypted2. Mount the filesystem with encfs. The first argument is the encrypted root directory (where the config lives), the second is the mount point where you will see plaintext:
mkdir -p ~/mount
encfs ~/encrypted ~/mountYou can now read and write files under ~/mount; they are stored encrypted under ~/encrypted. When finished, unmount:
fusermount -u ~/mount # Linux
# or: umount ~/mount # macOS / FreeBSDThe encfsr binary provides reverse encryption: your plaintext files live on disk in a source directory, and encfsr mounts a read-only virtual filesystem that exposes the encrypted view of that directory. Use this when you want to back up or sync an encrypted representation of local data (e.g. to an untrusted or cloud storage) without storing plaintext there.
- Normal encfs: encrypted dir → mount point shows plaintext (read/write).
- encfsr: plaintext dir → mount point shows encrypted view (read-only).
- A V7 EncFS config (e.g.
.encfs7). Older configs are not supported. - Config should be created without per-file IV headers: use
encfsctl new --no-unique-iv ...so the content is deterministic and suitable for reverse mode.
encfsr <config> <source_dir> <mount_point>Example: plaintext in ~/Documents, encrypted view at /mnt/enc:
encfsr ~/Documents/.encfs7 ~/Documents /mnt/encThen copy or sync from /mnt/enc to your backup/cloud target; the content and filenames there are encrypted.
Options (same as encfs where applicable):
-f/--foreground— run in foreground (do not daemonize).-S/--stdinpass— read password from stdin (e.g. for scripts).--extpass <program>— run a program to get the password;RootDiris set to the source directory.
Unmount when done: fusermount -u <mount_point> (Linux) or umount <mount_point> (macOS/FreeBSD).
Disable External IV chaining. There have
been reports
of a pathological interaction of IV chaining mode with Dropbox' rename
detection.
IV chaining is on by default, so it must be disabled when creating a new
filesystem: encfsctl new --no-chained-iv ...