Tags: #Artix Linux #macOS #Dropbox #CryFS #SiriKali #container #security
Cloud: Dropbox with CryFS in Linux and macOS
A brief tutorial to setup encryption of private data shared within public cloud systems using CryFS in Artix Linux as well as in macOS…
Introduction
CryFS is a cryptographic filesystem for the cloud. Using “free” cloud services may seem convenient, but sharing private unencrypted data with a third party always brings the risk of data mining and data leaks. Dropbox, iCloud, OneDrive and others are not an exception. CryFs makes sure that user data only leaves the computer in an encrypted form. A brief comparison of CryFS with other software:
- As opposed to VeraCrypt, it keeps its data in small encrypted blocks and changing a small file results in only a small amount of data to be re-uploaded.
- As opposed to EncFS and eCryptfs, it doesn’t only encrypt your file contents, but also file sizes, file metadata and directory structure.
Another interesting comparison made by the authors of gocryptfs can be found here.
Artix Linux Installation
The installation process is straightforward:
$ pacman -S cryfs
There are two ways to use CryFS:
- using graphical user interface (GUI),
- using command line interface (CLI).
SiriKali is a GUI, which can be used for CryFS, but also for eCryptfs, EncFS, gocryptfs and securefs.
The developer of SiriKali (Francis Banyikwa) is not an official Arch Linux developer. Therefore, his GPG key needs to be verified and imported manually by selecting the key number 1
as follows:
$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 16E2E1ACC6F51242
...
Keys 1-1 of 1 for "16E2E1ACC6F51242". Enter number(s), N)ext, or Q)uit > 1<ENTER>
# or just plain import:
$ gpg --recv-keys 16E2E1ACC6F51242
Finally, SiriKali can be installed as follows:
$ yaourt -S sirikali
By default, SiriKali uses as mount point its .sirikali
directory.
Optionally (this is not necessary when using SiriKali): for CLI usage, a different directory, which will be the CryFS-encrypted Dropbox directory mounted to, needs to be created as follows:
$ mkdir -p $HOME/Dropbox-Unencrypted/Private-Directory
Considering the CLI usage, an appropriate directory should be created for each CryFS-encrypted Dropbox directory somewhere in the filesystem. Creating an encrypted directory and mounting it to:
$ cryfs $HOME/Dropbox/Private-Directory $HOME/Dropbox-Unencrypted/Private-Directory
Unmount (-u
to unmount, -z
to “lazy” unmnout):
$ fusermount -u $HOME/Documents/Dropbox-Unencrypted/Private-Directory
MacOS Installation
The installation in macOS is a bit complicated, as it requires Homebrew package manager to be installed. Should the macOS device lack the Homebrew package manager, it can be installed using the macOS: Install Homebrew tutorial accordingly.
CryFS (including its prerequisite osxfuse
) can be installed as follows:
$ brew install caskroom/cask/osxfuse
$ brew install cryfs
The automatic mounting using SiriKali is possible. As of now, it is not available in the Homebrew or any other repository and needs to be compiled from source.
Installation of prerequisites:
$ brew install libgcrypt qt5 pkg-config cmake
Cloning the project’s GIT repository:
$ cd /tmp
$ git clone https://github.com/mhogomchungu/sirikali.git
Compilation from source:
$ cd /tmp/sirikali
$ mkdir build
$ cd build
$ export CMAKE_PREFIX_PATH=/usr/local/opt/qt5/
$ cmake -DCMAKE_INSTALL_PREFIX=/tmp/sirikali -DQT5=true -DCMAKE_BUILD_TYPE=RELEASE . ..
$ make -j$(sysctl -n hw.ncpu)
$ make install
In the Finder, the installation is performed by dragging SiriKali
from the /tmp/sirikali
directory to the Applications
directory.
Cleaning:
$ rm -rf /tmp/sirikali
Note: The manual usage is pretty much the same as described in the Artix Linux section, only the unmounting process is managed by the umount
command (instead of the fusermount
command in Linux).