Blogaria

In order to protect customers' data, I used to create encrypted disk images using my Mac's Disk Tool. This works really well: you assign a file to serve as image, then you open the encrypted image and while mounting it, MacOSX asks you for a pass phrase. Once mounted, the separate files are accessible. The only drawback is that backing it up is a pain:

• Either I backed up the encrypted entire image file, so that the data would remain encrypted on the back up media. But this means that incremental back ups take very long. Every small change within such a filesystem leads to changes in the image, and hence the image file is eligible for back up.
• Or, I backed up separate files from the image while it was mounted - which makes incremental back ups fast, but leaves the separate files unencrypted on the media. This of course creates a security hole that I don't want.

Here's how to get encfs for the Mac: Make sure that you have the MacPorts package, and then simply type (as root):

port -v install encfs

And here's how to use encfs.

• As any non-root user, create two directories to (a) hold encrypted files, (b) be the non-encrypted representation. This is required only once. For example:

  # The username is assumed to be "myname" in this example
  # The directory pair is PlainDocs and .EncDocs
  mkdir /Users/myname/PlainDocs /users/myname/.EncDocs
  

• Next, assign the mapping between the directories using the command encfs. This is very similar to mounting:

  # Adjust the directory names as required on your own system
  encfs /Users/myname/PlainDocs /users/myname/.EncDocs
  

During this step, encfs will ask for a passphrase. Obviously, choose something you can remember - but something not obvious ;-) The first time this is done, encfs prompts for a few file system related settings - leave them to their defaults, or pick your own.
• Make sure that /Users/myname/.EncDocs is included in your back up scheme, and /Users/myname/PlainDocs is excluded. You want to back up the encrypted files, but not the plain-text ones.
• After modifying or reading files in /Users/myname/PlainDocs, unmap the encrypted filesystem, by entering as root:

  # Replace /Users/myname/PlainDocs with whatever is applicable
  # in your situation
  umount /Users/myname/PlainDocs
  

• As root, create a script /var/root/bin/umount-encfs with the following contents (I put this file under root's home directory so root only can see it, but you can use any path you like, just make sure it has root-only privileges):

  #!/bin/sh
  
  # /Users/myname/PlainDocs is the mapped directory,
  # adjust for your own purposes
  pids=`lsof /Users/myname/PlainDocs | awk '{if (NR > 1) print $2}'`
  if [ -n "$pids" ] ; then
      kill $pids
      kill -1 $pids
  fi
  umount /Users/myname/PlainDocs
  

  The purpose of this file is to list all programs that use files in the plain-documents directory, and to stop those programs. Then the directory is unmounted.
• Make this script executable, using:

  chmod +x /var/root/bin/umount-encfs

• Make sure that the script is called when the laptop goes into sleepmode. Run as root:

  # umount-encfs should be run when logging out  
  defaults write com.apple.loginwindow LogoutHook \
    /var/root/bin/umount-encfs
   
  # umount-encfs should be run when entering sleep mode
  defaults write com.apple.loginwindow SleepHook \
    /var/root/bin/umount-encfs
  

  # This works
  encfs /Users/myname/PlainDocs /Users/myname/.EncDocs

  # This doesn't work.. sigh
  cd /Users/myname
  encfs PlainDocs .EncDocs

#!/usr/bin/perl

use strict;
use Cwd 'abs_path';

my $encfs = '/opt/local/bin/encfs';

# Convert all args to absolute paths.
my @args = ($encfs);
for my $a (@ARGV) {
    if (-f $a) {
        push(@args, abs_path($a));
    } elsif (-d $a) {
        push(@args, abs_path($a) . '/');
    } else {
        push(@args, $a);
    }
}

# Exec true encfs
print ("Running: @args\n");
exec( {$encfs} @args );
die("Failed to exec $encfs: $!\n");