Techno Blog Just another Technology Blog

22May/110

Encrypt files on Amazon s3 bucket

This article outlines the process for encrypting files being copied to Amazon s3.

Lets face it, no matter you think of Amazon as a company, the fact is that we are not in control of this storage and it is only responsible to encrypt your data.

  1. First, install encfs
  2. $ yum --disablerepo=epel install encfs
    

  3. Make mount directories
  4. This assumes that you already have your Amazone s3 bucket mounted on Linux to the mount point /mnt/s3drive. See the Mount Amazon s3 Bucket on Linux post for more information on how to do this.

    $ mkdir -m 755 /mnt/s3drive/.crypt
    
    $ mkdir -m 755  ~/.crypt
    

  5. Create new encrypted volume
  6. $ encfs /mnt/s3drive/.crypt ~/.crypt
    Creating new encrypted volume.
    Please choose from one of the following options:
     enter "x" for expert configuration mode,
     enter "p" for pre-configured paranoia mode,
     anything else, or an empty line will select standard mode.
    ?> p
    
    Paranoia configuration selected.
    
    Configuration finished.  The filesystem to be created has
    the following properties:
    Filesystem cipher: "ssl/aes", version 2:1:1
    Filename encoding: "nameio/block", version 3:0:1
    Key Size: 256 bits
    Block Size: 512 bytes, including 8 byte MAC header
    Each file contains 8 byte header with unique IV data.
    Filenames encoded using IV chaining mode.
    File data IV is chained to filename IV.
    
    -------------------------- WARNING --------------------------
    The external initialization-vector chaining option has been
    enabled.  This option disables the use of hard links on the
    filesystem. Without hard links, some programs may not work.
    The programs 'mutt' and 'procmail' are known to fail.  For
    more information, please see the encfs mailing list.
    If you would like to choose another configuration setting,
    please press CTRL-C now to abort and start over.
    
    Now you will need to enter a password for your filesystem.
    You will need to remember this password, as there is absolutely
    no recovery mechanism.  However, the password can be changed
    later using encfsctl.
    
    New Encfs Password:
    Verify Encfs Password:
    

  7. Check out our mounted filesystems
  8. $ df -hP /mnt/s3drive
    Filesystem            Size  Used Avail Use% Mounted on
    fuse                  2.0T     0  2.0T   0% /mnt/s3drive
    
    $ df -hP /root/.crypt
    Filesystem            Size  Used Avail Use% Mounted on
    fuse  
    

  9. Create a file and check out the results
  10. $ touch /root/.crypt/test
    
    $ ls -l /root/.crypt/
    total 0
    -rwxr-xr-x 1 root root 0 Dec 31  1969 test
    
    $ ls -l /mnt/s3drive/.crypt
    total 0
    -rwxr-xr-x 1 root root 0 Dec 31  1969 IwiEvp24IwojdZg,w3Errvmr
    

    Not only are the contents of the file encrypted, but so is the file name

  11. As you might imagine, it is appropriate to unmount your encfs before unmounting your s3 filesystem
  12. $ fusermount -u /root/.crypt
    
    $ umount /mnt/s3drive
    

Related Posts

Mount Amazon s3 Bucket on Linux