Automount an Encrypted Filesystem inside Dropbox

Download and setup Dropbox on your system: Get Dropbox

For the encrypted filesystem I'm using EncFS which is a FUSE filesystem, so we'll need to install MacFUSE via: Download MacFUSE

And if it's not already installed you'll need MacPorts: MacPorts Install Guide

Then start by making sure MacPorts is up to date, then install EncFS:

port -v selfupdate
port -v install encfs

Now we need to create the encrypted filesystem, run this as the user who owns the Dropbox (not root):

# This where your encrypted files will be stored and synced to Dropbox
mkdir ~/Dropbox/encrypted-ct
# This is your decrypted view of the FS, where you'll interact with your files
mkdir ~/encrypted-pt
# Create the filesystem
encfs ~/Dropbox/encrypted-ct ~/encrypted-pt
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
> p
New encfs Password:

Select a password for your filesystem. We'll use OSX's keyring to store the password so we can auto-mount the filesystem on boot.

security add-generic-password -a $(whoami) -s EncFS -w password

Then the following command should grab it back out:

security find-generic-password -gs EncFS 2>&1 >/dev/null | cut -d'"' -f2

Now we'll throw together a script to mount the filesystem for us without having to type in the password. I put the following in a script under ~/bin:

mkdir ~/bin
vim ~/bin/encfsd.sh

Paste the following into the file, fix up the location of encfs, encdir, and decdir:

#!/bin/bash

ENCFS="/opt/local/bin/encfs"
ENCDIR="$HOME/Dropbox/encrypted-ct/"
DECDIR="$HOME/encrypted-pt/"

function cleanup {
  # Kill sleep command ($! is PID of last command launched in background)
  kill $!
  umount "$DECDIR"
  exit
}
trap cleanup 1 2 3 6 15

# This is a bit of a hack, but appears to be the most compatible way between Linux and Mac
# Check if the DECDIR and it's parent's are the same filesystem, if so we haven't mounted yet
if [ "`df -h $DECDIR`" == "`df -h $DECDIR/..`" ] ; then
  security find-generic-password -gs EncFS 2>&11 >/dev/null | cut -d'"' -f2 | "$ENCFS" -S "$ENCDIR" "$DECDIR"
else
  echo Something is already mounted on $DECDIR
  exit 1
fi

# Wait for exit
while true; do
  # Sleeping ignores normal signals so start it in a subprocess and wait for it
  sleep 3600 &
  wait
done

Make it executable:

chmod u+x  ~/bin/encfsd.sh

To run the script at login we'll create a LaunchAgent, create the following file:

vim ~/Library/LaunchAgents/com.xensoft.encfsd.plist

And paste in the following:

<xml version="1.0" encoding="UTF-8"></xml>
<plist version="1.0">
<dict>
    <key>label</key>
    <string>com.xensoft.encfsd.plist</string>
    <key>OnDemand</key>
    <false></false>
    <key>ProgramArguments</key>
    <array>
        <string>/Users/westlund2/bin/encfsd.sh</string>
    </array>
</key></dict>
</plist>

Make sure to fix up the path of the encfsd.sh script and off you go! Now every time you login you should have your encrypted filesystem automatically mounted for you.


edit: Things have moved along a bit since I last tackled this - the same basic strategy works but here are some tweaks:

MacFUSE has been replaced by OSXFUSE (http://osxfuse.github.io/). Can be installed with a MacFUSE compatibility layer - which I believe EncFS still relies upon.

If you want a slick interface to mounting your fuse filesystems (including EncFS with the plugin below) you can try Macfusion (http://macfusionapp.org/).

If you want to use EncFS with the MacFusion plugin and you installed EncFS using MacPorts you'll need to make a symlink so the plugin can find the executable it's looking for:

# ln -s /opt/local/bin /usr/local/bin # Assuming you don't have a /usr/local/bin already, the plugin will look for the encfs binary under here

Then the EncFS Plugin (http://code.google.com/p/encfs-macfusion2/downloads/list) should install. With that you should be able to hit the "Plus" icon in Macfusion and add a new or existing EncFS filesystem. You can tweak the mount point of the plain text side under the Macfusion tab.

And if you haven't already go to Finder > Preferences and check the box to display "Connected Servers" otherwise some of these mounted filesystems are hard to find.