Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Ecryptfs vs encfs

1,401 views
Skip to first unread message

Dan

unread,
Mar 21, 2011, 11:20:02 PM3/21/11
to
Hi,
I would like to encrypt some folders in the home directory of the
users in a server. I have seen that there are 2 choices ecryptfs and
encfs. They seem to be very similar. Which one do you think that it is
better?

Thanks,
Dan


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/AANLkTimOC5rhu-1wx-+f6...@mail.gmail.com

Todd A. Jacobs

unread,
Mar 22, 2011, 12:00:01 AM3/22/11
to
On Mon, Mar 21, 2011 at 8:09 PM, Dan <gan...@gmail.com> wrote:
> I would like to encrypt some folders in the home directory of the
> users in a server. I have seen that there are 2 choices ecryptfs and
> encfs. They seem to be very similar. Which one do you think that it is
> better?

One isn't better than the other; they serve different use cases.
Ecryptfs is a stacked filesystem that runs in the kernel, while encfs
is a FUSE-based filesystem that runs in userspace.

IMHO encfs is a better solution for individual users; it's less
complex to implement and doesn't have stack issues (see
http://ecryptfs.sourceforge.net/ecryptfs-faq.html#stack). On the other
hand, ecryptfs is the default for encrypted home directories in Ubuntu
and probably works faster due to running in kernel space.

Generally, my advice is to use dm-crypt for block devices (like
encrypting an entire /home partition that root plans to mount at
bootup), and encfs for encrypting individual directories other than
$HOME. YMMV.


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/AANLkTimOq7-qAOtYTCiMi77kJSOJPO3Lxs-=mgPB...@mail.gmail.com

Dan

unread,
Mar 22, 2011, 8:50:01 AM3/22/11
to
On Mon, Mar 21, 2011 at 11:51 PM, Todd A. Jacobs
<codegnome.con...@gmail.com> wrote:
> On Mon, Mar 21, 2011 at 8:09 PM, Dan <gan...@gmail.com> wrote:
>> I would like to encrypt some folders in the home directory of the
>> users in a server. I have seen that there are 2 choices ecryptfs and
>> encfs. They seem to be very similar. Which one do you think that it is
>> better?
>
> One isn't better than the other; they serve different use cases.
> Ecryptfs is a stacked filesystem that runs in the kernel, while encfs
> is a FUSE-based filesystem that runs in userspace.
>
> IMHO encfs is a better solution for individual users; it's less
> complex to implement and doesn't have stack issues (see
> http://ecryptfs.sourceforge.net/ecryptfs-faq.html#stack). On the other
> hand, ecryptfs is the default for encrypted home directories in Ubuntu
> and probably works faster due to running in kernel space.
>
> Generally, my advice is to use dm-crypt for block devices (like
> encrypting an entire /home partition that root plans to mount at
> bootup), and encfs for encrypting individual directories other than
> $HOME. YMMV.

Why do you say that ecrypt is less complex. From a user "point of
view" ecryptfs seems to be easy to implement in a multiuser server.

The issues of being a stack filesystem only affect the XFS file
system, not the ext3 or ext4. Right?

It seems that ecryptfs is more popular than encfs. Is there any reason for that?

Dan


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/AANLkTimFv4cc4G_99-txC...@mail.gmail.com

Jon Dowland

unread,
Mar 22, 2011, 10:30:02 AM3/22/11
to
On Mon, Mar 21, 2011 at 08:51:27PM -0700, Todd A. Jacobs wrote:
> Generally, my advice is to use dm-crypt for block devices (like
> encrypting an entire /home partition that root plans to mount at
> bootup), and encfs for encrypting individual directories other than
> $HOME. YMMV.

I've been using the dm-crypt approach for a while, but the limitations of it
have encouraged me to plan a migration to ecryptfs.

* If you mount via root/boot time, you must supply the passphrase at boot,
which stops unattended/automated restarts or boot-ups.
* as a user, you must supply at least two passphrases (dm-crypt, and login).

You can solve the latter by moving to login-time mounting via libpam-mount.
This generally works very well, but

* fsck is totally invisible if you log in via an X display manager, so the
occasional login will take 5-10 minutes longer than expected for a large
filesystem
* mounting is done serially, so if you have more than one encrypted
filesystem (I have nearly a dozen, which is a mistake) login takes a long
time very time

With ecryptfs, I can have a file-level backup solution work on the backing
files, not require an active login or mounted FS, and do replication to other
nodes/sites without privacy concerns.


--
Jon Dowland


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/20110322142...@deckard.alcopop.org

Dan

unread,
Mar 22, 2011, 10:50:02 AM3/22/11
to
On Tue, Mar 22, 2011 at 10:22 AM, Jon Dowland <jm...@debian.org> wrote:
> On Mon, Mar 21, 2011 at 08:51:27PM -0700, Todd A. Jacobs wrote:
>
> With ecryptfs,  I can have a file-level backup solution work on the backing
> files, not require an active login or mounted FS, and do replication to other
> nodes/sites without privacy concerns.
>

Yes, ecryptfs approach seems to be easier to manage.

Do you have any special reason to have chosen ecryptfs over encfs?

Daniel


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/AANLkTinveBWpgQV0_W_WA...@mail.gmail.com

0 new messages