Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Replace FileVault With EncFS

Posted by timothy on from the for-secretive-tweakers dept.

agoston.horvath writes "I've written a HOWTO on replacing Mac OS X's built-in encryption (FileVault) with the well-known FUSE-based EncFS. It worked well for me, and most importantly: it is a lot handier than what Apple has put together. This is especially useful if you are using a backup solution like Time Machine. Includes Whys, Why Nots, and step-by-step instructions."

3 of 65 comments (clear)

  1. [citation needed] by shadow349 · · Score: 5, Funny

    FTFA:

    FileVault is a proprietary tool from a big and famous manufacturer. This means that you can be sure that there is a built-in backdoor for government bodies to use, in case you would be a terrorist suspect or trying to seize control by a coup. These backdoors are usually found and used against you in practice.

    [citation needed]

  2. Re:Question by TheRaven64 · · Score: 5, Interesting

    Having read the article, I'd recommend that no one else did. It's written in a preachy patronising tone by someone who is clearly an idiot. For example, he complains about weak encryption because it's 'only AES-128 and you can't change that', except that since 10.5 it's been AES-128 or AES-256, even AES-128 is more than secure enough, and the vulnerability with FileVault comes from how they store the key, not from the encryption used.

    He also mentions just as a throw-away 'Don't forget that encfs doesn't support fancy filesystem operations, so don't just throw your whole homedir in there - it won't work.' So, in fact, this can't replace FileVault. Looking at the EncFS web site, I can't see any evidence that it's been audited (even the design, let alone the code). He recommends storing your decryption key in the keychain, which seems very odd; if you don't trust Apple's encryption of your home directory, why would you trust Apple's encryption of your passwords?

    He finishes with 'The biggest mistake Apple did with FileVault is storing the encrypted home directory on a virtual file system'. Given that the limitations of EncFS come from the fact that it isn't a proper filesystem, I'd have to disagree there. FileVault does encryption at the block layer, just like most other encrypted filesystems. If you bother to read any of the papers in this area, you will see that there are a number of good reasons for doing this.

    Apple did two things wrong with FileVault. They didn't let Time Machine sync mounted File Vault images with other encrypted images and they didn't provide an implementation of something like the TRIM command to let the low-level bits delete space when it was no longer needed.

    --
    I am TheRaven on Soylent News
  3. Re:Question by node+3 · · Score: 5, Insightful

    What are some flaws in FileVault that might make me prefer EncFS?

    I've only been thinking of activating FileVault lately and my only other experience has been with ELI in FBSD.

    The "flaws" in FileVault (really, just limitations, but whatever), are that they aren't backed up via Time Machine while you're logged in, and space isn't freed up until you log out.

    He states that it takes a long time to log out, but that's not true as of Snow Leopard. Sparsebundles recover space very quickly, and you can cancel the logout clean up process without worry.

    As for, why would you prefer EncFS? You wouldn't. It actually does work reliably. FTA:

    There are known problems with EncFS, as it only support basic POSIX operations (no locking, extended attributes, etc...). This works well for simple file storage or multiplatform applications, like MacPorts, Firefox, Thunderbird, etc..., but encrypting your whole homedir is known not to work.

    In other words, not only can it not replace FileVault, but it can't even be used for the things a normal Mac user might want to encrypt (Mail folder, iPhoto library, etc.).