Yelläks /ˈyæl•eks/

Introduction and Requirements

Somewhere I found step by step instructions, how to automatically compress and encrypt files which are copied into the misty cloudy space of Dropbox. But I am not able to recall, where it was. So I had to “reinvent” the wheel and wrote another manual about how to do it. I assume that you already installed Dropbox successfully. If not, you can download the software from here. The installation is quite easy and does not involve many steps.

These instructions are not limited to Dropbox only. They can be used with any other cloud service that synchronizes directories on your Linux box.

The sequence, in which files are copied into the cloud, has to be in a specific order. First the files are compressed, after which they are encrypted and then uploaded. If they are first encrypted and then compressed, the compression algorithm does not have much chances to reduce the file size since all your text files are, well, a random mix of bits after the encryption step.

There are several tools required to accomplish these tasks: encfs and fusecompress. Both are packages in the standard Debian system. With

# apt-get install encfs fusecompress

they can be installed easily. Then three directories are required:

$ mkdir ~/Dropbox/.encrypted ~/.Dropbox_compressed ~/Dropbox_Encrypted

If a file is copied into ~/Dropbox_Encrypted, it is compressed by fusecompress and stored in ~/.Dropbox_compressed from where encfs picks it up, encrypts it and stores it in ~/Dropbox/.encrypted which is automatically synchronized with the online space since it is in the Dropbox directory. This is done automatically and transparently so that it does not need any user intervention.

fusecompress

To do so, you will have to mount these directories. First ~/.Dropbox_compressed is mounted to compress the data. Execute as normal user

$ fusecompress -o fc_c:bzip2 ~/.Dropbox_compressed/ ~/Dropbox_Encrypted/

As far as I know, you will have to use the absolute path names. fusecompress supports multiple compression algorithms: bzip2, lzo, zlib, lzma, and none. Taken from the manual it says:

Lzo is the fastest, bzip2 has high compression ratio, but it is the slowest, zlib is somewhere between them in terms of speed and compression ratio and lzma has highest compression ratio, it’s compression speed is better than bzip2 and decompression is fast. The none compression method is there for testing only as it doesn’t compress data, it copies the data without any modification (fusecompress’ header is added).

Currently I am using bzip2, but I would like to use lzma due to its higher performance and compression ratios. However in Debian Squeeze the lzma support is not compiled into fusecompress. Since I do not have the time to compile and try out things currently, I am happy with bzip2. To see your supported compression methods type

$ fusecompress

in a terminal window.

If you get an error message stating: fuse: failed to open /dev/fuse: Permission denied, check if your username is included in the group fuse by typing the command groups in the terminal window. If fuse is not mentioned in the list, you have to add yourself to it. Execute as root

# adduser yourUsername fuse

and log out and in again to update the group permissions. After that the command above should work.

If everything worked, you can try and copy a text file into ~/Dropbox_Encrypted/. A listing of this directory will show the file and its original size. Change to ~/.Dropbox_compressed/ and you will find the same file. However the file size is different and should be much smaller.

encfs

Now everything that is copied to ~/.Dropbox_compressed/ shall be encrypted. Before we can continue, you should tell the Dropbox service not to synchronize the encfs configuration file that is automatically created by encfs in the encrypted directory by executing

$ dropbox exclude add ~/Dropbox/.encrypted/.encfs6.xml

encfs will create a small file that contains all your settings. However the critical part is that it also contains your password as a hash value. If you can live with the inconvenience that you have to copy the file to every computer manually, before they can gain access to the encrypted directory or if you are the only person who should have access to it, you should not upload that file.

After that you are ready for the encryption step. Execute as normal user

$ encfs ~/Dropbox/.encrypted/ ~/Dropbox_Encrypted/
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>

Before creating the encrypted volume, encfs is going to ask lots of questions in the expert mode. Most of the settings require you to read the manual, so the easier but also save alternative is to use the pre-configured paranoia mode by hitting p. After entering and confirming a password, you are all set. If you copy a file into ~/Dropbox_Encrypted/, a new file should show up in ~/Dropbox/.encrypted/ automatically. But since it is encrypted, not only the file itself but also the filename is disguised.

What to do after reboot?

If you reboot your Linux box, the mounted directories are lost and the compression and encryption chain is broken. If you start Dropbox now, the encryption folder looks empty and the Dropbox service will delete all your files that were uploaded into the cloud. You have to ensure that the chain is reestablished, before Dropbox is started. Since I am the only user of my machine, I included a few lines into /etc/rc.local which is executed during startup:

echo "Mounting compression/encFS for Dropbox..."
sudo -u yourUsername fusecompress -o fc_c:bzip2 /home/alefel/.Dropbox_compressed/ /home/alefel/Dropbox_Encrypted/
sudo -u yourUsername encfs /home/alefel/Dropbox/.encrypted/ /home/alefel/.Dropbox_compressed/

The sudo command is required, since the directories should belong to you and not root. If they belong to root, write access is not permitted. Unfortunately encfs requires to type in your password and it asks for it in the console. However if you use Ubuntu then you might probably not even see the prompt and you are immediately forwarded to the graphical login screen. It is not very comfortable to switch back or to make the prompt visible, type in the password, switch back to the graphical login and proceed. But luckily encfs can accept the password also from standard input without prompting. If you are the only user and do not mind the password to be mentioned here in clear text, you can alter the lines above to:

echo "Mounting compression/encFS for Dropbox..."
sudo -u yourUsername fusecompress -o fc_c:bzip2 /home/alefel/.Dropbox_compressed/ /home/alefel/Dropbox_Encrypted/
sudo -u yourUsername echo "yourPassword" | encfs --stdinpass /home/alefel/Dropbox/.encrypted/ /home/alefel/.Dropbox_compressed/

and you are good to go. As an alternative you also might want to try out gnome-encfs or cryptkeeper. But since I like this solution, I did not try them and hence cannot tell anything about them.

Unmounting the directories

First shut down the Dropbox service:

$ dropbox stop

Then you can unmount the directories by typing

$ fusermount -u ~/.Dropbox_compressed
$ fusermount -u ~/Dropbox_Encrypted