Fork me on GitHub!

Tutorial

CryFS is very easy to use. Let us show you how.

Install CryFS

Easy Install is currently supported on Ubuntu 14.04, 15.04 and 15.10 (32bit and 64bit) and on Debian Jessie 64bit.

On these systems, you can install CryFS with the following command.

$wget -O - https://www.cryfs.org/install.sh | sudo bash

This command installs CryFS as a debian package and sets up the apt package source for automatic updates.

On other Linux operating systems, you can compile CryFS from source by following the instructions on GitHub. Windows and Mac OS X are currently not supported, but will be in future versions.

Setup an encrypted directory

Once installed, you can create an encrypted directory by calling cryfs basedir mountdir. You can call the directories however you like, we chose basedir and mountdir for demonstration purposes. If the corresponding directories don't exist yet, CryFS will offer to create them for you.

$cryfs basedir mountdir

This will ask you some questions about the configuration of your encrypted directory. For now, we just say yes when we're asked whether to use the default settings. CryFS will also ask you for a password and then you're good to go.

You can modify files and directories in the mountdir directory. CryFS will then encrypt them and store the encrypted data in the basedir directory. The mountdir directory is a virtual directory, meaning it doesn't actually exist on your harddisk, but is provided by CryFS. Whenever you access files or directories in it, CryFS handles the decryption in the background, so that you can work with mountdir as if it was a real directory. This way, even if someone steals your harddisk, your data is still secure, since they can't decrypt it.

Using the encrypted directory

You can work in mountdir, add files to it, modify them, add subdirectories, and do whatever you want with it. Everything you store inside will be encrypted and stored in basedir. The unencrypted content of mountdir will never be stored to the harddisk, so everything on your harddisk is encrypted. CryFS uses an encryption scheme that doesn't only encrypt file contents, but also the file sizes, file metadata and directory structure is encrypted. Let's take a look.

First, we create a file and a directory in mountdir.

$cd mountdir
$echo "My file content" > myfile
$mkdir mydirectory

Now we check that the file and the directory exist and that the file has the content we just added to it.

$ls
mydirectory myfile
$cat myfile
My file content

If we look into the basedir, we see some cryptic files that contain the encrypted data of the mountdir directory.

$ls ../basedir
[some encrypted files]

Let's go back and unmount the encrypted directory.

$cd ..
$fusermount -u mountdir

Now, CryFS isn't running anymore, which means we cannot access our data anymore. The mountdir is empty.

$ls mountdir
[no output because directory empty]

But don't worry, if we look at the basedir, everything is still there, it is only encrypted.

$ls basedir
[some encrypted files]

When we start CryFS again, we can access our files again.

$cryfs basedir mountdir
$ls mountdir
mydirectory myfile
$cat mountdir/myfile
My file content

Using CryFS together with Dropbox

Although CryFS can also be used to just encrypt files locally, for example to protect against harddrive theft, its main purpose is to be used together with cloud storage providers like Dropbox. It should work well together with any cloud storage provider that uses a local synchronization folder.

First, setup the Dropbox client to synchronize your cloud files to a local folder. In this tutorial, we'll assume that folder is called dropbox.

Then, we start CryFS. Since we only want to upload the encrypted files, we have to put the basedir into the dropbox folder, so Dropbox will synchronize it. If basedir or mountdir don't exist yet, CryFS will ask us whether it should create them. We answer to that question with yes.

$cryfs dropbox/basedir mountdir
Warning! Take care that you don't put the mountdir into the dropbox folder, because otherwise Dropbox would also upload the unencrypted files from mountdir.

Now, everything we write to mountdir will be automatically encrypted, the encrypted data will be written to dropbox/basedir, where the Dropbox client will pick it up and upload it to the cloud.

As before, let's add a file to it.

$echo "My file content" > mountdir/myfile

To check that synchronization works, we can add a second client on another computer. Install CryFS and the Dropbox client and set Dropbox up to synchronize to a local folder. We'll assume you called it dropbox again.

If it is set up correctly, there should be a folder dropbox/basedir. You might have to wait some seconds for Dropbox to finish synchronization.

$ls dropbox
[output contains basedir]

Then, we start CryFS.

$cryfs dropbox/basedir mountdir

Since mountdir doesn't exist yet on the second client, CryFS will ask whether it should create it. We answer to that question with yes.

If we now look into mountdir on the second client, we see the file we created on the first computer.

$ls mountdir
myfile
$cat mountdir/myfile
My file content

You can play around with your setup now. As long as CryFS and Dropbox are running on both computers, everything you modify in one of the mountdir directories will automatically be synchronized to the mountdir on the other computer, while Dropbox only sees the encrypted data.

Try it out and

Download CryFS