Instructions

To install EncFSVault run the installer package. If you have not already installed MacFUSE and EncFS, you will need to before trying to use EncFSVault. You should also create an admin to setup the new users and in case of of emergency or to change passwords. If you change your users password then you will also need to update the EncFSVault password; this can be done using encfsctl program.

Enable/Disabling EncFS logins

EncFSVault will be enabled by default once the package has been installed. If you want to see the current state of EncFSVault you can run " /usr/local/bin/encfsVaultCntrl --status", below are the instruction to disable or enable EncFSVault. See the Adding Users section below for user setup.

Disable EncFSVault with Leopard or Tiger

/usr/local/bin/encfsVaultCntrl --disable

Enable EncFSVault with Leopard or Tiger

/usr/local/bin/encfsVaultCntrl --enable

Backups

Always have backups of your data.

The control file contains the filesystem parameters, in addition to encrypted key data which is different for every filesystem. You need both the password and this control file in order to access the data. If you loose either one, there isnt anything I can do to help. Your password should be considered important data. If youre not sure you can remember it, then back it up (in a secure manner either in a password keychain program, or in a secure location).

From the administrator account you can backup the /Users/.username to have an copy of the encrypted data. Alternatively you can just backup /Users/username into another encrypted volume or backup solution.

Adding Users

From your admin account you will need to create a user account; this account does not need administrator privileges. Next open a terminal window run the setupNewEncfsVaultUser script. This script will prompt you for the user name and other information. Once the script has completed you can login to the new account.

Note: When adding a user the script has to make a backup of that users data so make sure you have enough free space in /Users before running the script. I would recommend having 2x the size of the users home folder.

Example

Once user zod has been added from System Preferences run setupNewEncfsVaultUser script. You will only need to provide the new username and the new password and your admin password (if required). All the options needed for EncFS will be setup by the script no user interaction is required.

macbook:~ $ setupNewEncfsVaultUser 
Enter the username (shortname):
zod
Enter zod password:
You may be prompted for your current (admin) password.
Backing up zod files
Now create the new EncFS dir and mount it /Users/zod
**************************************************
Configuring Encfs with the follwoing options
cipher algorithms = AES (option 1)
key size = 256
filesystem block size = 512 (default)
encoding algorithms = Block (option 1)
filename initialization vector chaining = yes (default)
per-file initialization vectors = yes (default)
filename to IV header chaining = no (default)
block authentication code headers = no (default)
**************************************************
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> Manual configuration mode selected.
The following cipher algorithms are available:
1. AES : 16 byte block cipher
-- Supports key lengths of 128 to 256 bits
-- Supports block sizes of 64 to 4096 bytes
2. blowfish-compat : algorithm compatible with EncFS 0.2-0.6
-- key length 160 bits
-- block size 64 bytes
Enter the number corresponding to your choice: Selected algorithm "AES"
Please select a key size in bits. The cipher you have chosen
supports sizes from 128 to 256 bits in increments of 64 bits.
For example: 128, 192, 256
Selected key size: Using key size of 256 bits
Select a block size in bytes. The cipher you have chosen
supports sizes from 64 to 4096 bytes in increments of 16.
Or just hit enter for the default (512 bytes)
filesystem block size: Using filesystem block size of 512 bytes
The following filename encoding algorithms are available:
1. Block : Block encoding, hides file name size somewhat
2. Null : No encryption of filenames
3. Stream : Stream encoding, keeps filenames as short as possible
Enter the number corresponding to your choice: Selected algorithm "Block""
Enable filename initialization vector chaining?
This makes filename encoding dependent on the complete path, rather then encoding each path element individually. 
This is normally desireable, therefor the default is Yes. Any response that does not begin with 'n' will mean Yes: 
Enable per-file initialization vectors?
This adds about 8 bytes per file to the storage requirements.
It should not affect performance except possibly with applications
which rely on block-aligned file io for performance.
The default here is Yes. Any response that does not begin with 'n' will mean Yes: 
Enable filename to IV header chaining?
This makes file data encoding dependent on the complete file path.
If a file is renamed, it will not decode sucessfully unless it
was renamed by encfs with the proper key.
If this option is enabled, then hard links will not be supported
in the filesystem.
The default is No. Any response that does not begin with 'y' will mean No: 
Enable block authentication code headers
on every block in a file? This adds about 12 bytes per block
to the storage requirements for a file, and significantly affects
performance but it also means [almost] any modifications or errors
within a block will be caught and will cause a read error.
The default here is No. Any response that does not begin with 'y' will mean No: 
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 256 bits
Block Size: 512 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
**************************************************
Done with EncFS creation
**************************************************
Installing zod files into EncFS Volume
Mark volume as Vault
Unmounting EncFS volume
Finishing the install
Done

Removing Users

From your admin account make sure that the users home dir is not mounted by running "sudo umount /Users/

<username>

". Then remove the EncFS files by running "sudo rm -rf /Users/.

<username>

" notice that the username is prefixed with a dot in this step. Now from System Preferences you can remove the users.