EncFS is a free ( under the GPL published ) encryption extension for any file systems of Unix-like operating systems, and is built on the FUSE framework. It encrypts not entire file systems, but only individual files, so it can be retrofitted without a separate establishment of a separate encrypted partition and still conventional tools, such as for data backup, can be used.


EncFS uses two directories to transparently encrypt the data. In one directory the encrypted data is stored. The registered data is not written directly to the hard drive, but encrypted by EncFS first and then stored in the so-called second source directory in encrypted form. The unencrypted view of the first folder is only visible as long as the second means of EncFS is involved in the first. This corresponds to each encrypted file in the second folder an unencrypted file in the first. If the contents of the encrypted folder is not included, the unencrypted folder is empty.


Encrypts the data is with a large, present in a file key, the volume so-called Key. This is further protected with a password to prevent decryption with knowledge of the volume keys. EncFS can use different encryption algorithms; typically are Blowfish and AES. If you want to access the encrypted data, so you have to so when including the password of the Volume Keys to enter.

The data is encrypted in individual data blocks. Data blocks are encrypted as a whole and can only be fully deciphered. So if only a single byte is modified, the entire block must be re- encrypted and written. To this can be optimally adapted to the present data, therefore, be changed the block size of 512 bytes by default.

EncFS encrypted not only the contents of the files, but the file name. You can here may store more complex between the (depending on the underlying file system ) something, but the length of the file name obfuscating, select block mode and the memory gentler stream mode.

Data integrity

In addition, it is possible with a block MAC headers mentioned option EncFS to determine changes or errors in the encrypted files. In this case, a check sum of 8 bytes is generated for each data block. In addition, an additional 8 bytes of random data to be appended to each data block in order to prevent that the data blocks with the same unencrypted content having the same checksum.

However, this option requires a lot of computing power of the CPU, since each read access for the purpose of integrity testing and at each write access to their update the checksum must be calculated.

Pros and Cons

Because of its file by file encryption EncFS has some advantages over other crypto file systems:

  • There is no fixed size on the disk. It is only the space occupied, which is actually needed for the encrypted files. Data can be stored in EncFS until the file system in which it is located is full.
  • Cover parts of the EncFS - encrypted file system can be stored on different disks. For example, a folder in the ( encrypted ) source directory is NFS mounted and be another locally.
  • Backup programs can specifically ensure the individual modified encrypted files that have changed in the meantime. It does not have any time the entire partition are secured, as is the case with encrypted partitions.

Because of this approach, however, also some disadvantages:

  • Per EncFS stored data have the same restrictions as the file system where the source folder is located.
  • A fragmentation of the encrypted data leads to fragmentation of data in the source directory.
  • Rights management is not reimplemented, so everyone can the number of files, their access rights, size and length of the file name (the file name itself is however mitverschlüsselt ) and the date of the last change to see.