Cloud: Dropbox with CryFS in Linux and macOS

A brief tutorial to setup encryption of private data shared within public cloud systems using CryFS in Artix Linux as well as in macOS…

Introduction

CryFS is a cryptographic filesystem for the cloud. Using “free” cloud services may seem convenient, but sharing private unencrypted data with a third party always brings the risk of data mining and data leaks. Dropbox, iCloud, OneDrive and others are not an exception. CryFs makes sure that user data only leaves the computer in an encrypted form. A brief comparison of CryFS with other software:

• As opposed to VeraCrypt, it keeps its data in small encrypted blocks and changing a small file results in only a small amount of data to be re-uploaded.
• As opposed to EncFS and eCryptfs, it doesn’t only encrypt your file contents, but also file sizes, file metadata and directory structure.

Another interesting comparison made by the authors of gocryptfs can be found here.

---

Artix Linux Installation

The installation process is straightforward:

$ pacman -S cryfs

There are two ways to use CryFS:

• using graphical user interface (GUI),
• using command line interface (CLI).

SiriKali is a GUI, which can be used for CryFS, but also for eCryptfs, EncFS, gocryptfs and securefs.

The developer of SiriKali (Francis Banyikwa) is not an official Arch Linux developer. Therefore, his GPG key needs to be verified and imported manually by selecting the key number 1 as follows:

$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 16E2E1ACC6F51242
...
Keys 1-1 of 1 for "16E2E1ACC6F51242". Enter number(s), N)ext, or Q)uit > 1<ENTER>
# or just plain import:
$ gpg --recv-keys 16E2E1ACC6F51242

Finally, SiriKali can be installed as follows:

$ yaourt -S sirikali

By default, SiriKali uses as mount point its .sirikali directory.

Optionally (this is not necessary when using SiriKali): for CLI usage, a different directory, which will be the CryFS-encrypted Dropbox directory mounted to, needs to be created as follows:

$ mkdir -p $HOME/Dropbox-Unencrypted/Private-Directory

Considering the CLI usage, an appropriate directory should be created for each CryFS-encrypted Dropbox directory somewhere in the filesystem. Creating an encrypted directory and mounting it to:

$ cryfs $HOME/Dropbox/Private-Directory $HOME/Dropbox-Unencrypted/Private-Directory

Unmount (-u to unmount, -z to “lazy” unmnout):

$ fusermount -u $HOME/Documents/Dropbox-Unencrypted/Private-Directory

---

MacOS Installation

The installation in macOS is a bit complicated, as it requires Homebrew package manager to be installed. Should the macOS device lack the Homebrew package manager, it can be installed using the macOS: Install Homebrew tutorial accordingly.

CryFS (including its prerequisite osxfuse) can be installed as follows:

$ brew install caskroom/cask/osxfuse
$ brew install cryfs

The automatic mounting using SiriKali is possible. As of now, it is not available in the Homebrew or any other repository and needs to be compiled from source.

Installation of prerequisites:

$ brew install libgcrypt qt5 pkg-config cmake

Cloning the project’s GIT repository:

$ cd /tmp
$ git clone https://github.com/mhogomchungu/sirikali.git

Compilation from source:

$ cd /tmp/sirikali
$ mkdir build
$ cd build
$ export CMAKE_PREFIX_PATH=/usr/local/opt/qt5/
$ cmake -DCMAKE_INSTALL_PREFIX=/tmp/sirikali -DQT5=true -DCMAKE_BUILD_TYPE=RELEASE . ..
$ make -j$(sysctl -n hw.ncpu)
$ make install

In the Finder, the installation is performed by dragging SiriKali from the /tmp/sirikali directory to the Applications directory.

Cleaning:

$ rm -rf /tmp/sirikali

Note: The manual usage is pretty much the same as described in the Artix Linux section, only the unmounting process is managed by the umount command (instead of the fusermount command in Linux).