How to configure EncFS on OSX 10.10 (Yosemite)

With EncFS it’s possible to keep our data in almost any cloud (Dropbox, OneDrive, etc…), having a good level of privacy and security. Infact EncFS encrypt and decrypt our data automatically. It’s available for Linux as well and using a commercial solution (that is currently unsupported) even on Windows.

Installing EncFS

EncFS can be installed from brew. If you don’t have brew package manager installed on OSX you can install it using this command:

After brew, you need to install OSXFuse from this website http://osxfuse.github.io

Finally you can install encfs using this command:

Configuring the encrypted folder

Now that EncFS is installed, you can either mount an existing EncFS volume or create a new one. In both cases the command is the same:

If you are mounting an existing encrypted volume, you will be prompted for the password. If you are creating a new encrypted volume you will be asked some questions about EncFS parameters.

Note: if it’s important for you to keep compatibility with BoxCryptor Classic (in case you want to use the same volume under Windows), please refer to this other article I wrote: https://www.andreagrandi.it/2014/09/12/create-an-encfs-volume-compatible-with-boxcryptor-classic/

Mount the encrypted volume on startup

First of all you need to save the volume’s password inside the OSX keychain. Open the app Keychain Access and create a new entry with name encfs and account value encfs, then write your password and click Add:

encfs_keychain_access

Once the password is saved, open a text editor and paste this script and save it as encfs_mount.sh inside your $HOME folder:

Make it executable:

Open AppleScript editor and paste this text inside and save as an app in the $HOME folder:

Screenshot 2015-10-11 19.27.14

Finally, open “System Preferences” -> “Users & Groups” and add the previously saved application.

Screenshot 2015-10-11 19.27.44

Final notes

At this point encfs is configured to be mounted at startup and to save the encrypted files inside Dropbox. Please note: do not save anything directly on ~/Dropbox/Private, only read and save your files from ~/Private

References

Why I completely switched this website to HTTPS (and why you should do the same)

I must admit it, there was a time when I was not using HTTPS, not even to protect the admin section of the website. This means that anyone could have intercepted the password and published (or deleted) things in my name. Since a couple of years ago I started protecting my admin sectio using an SSL certificate.  I haven’t done it before for a couple of reason: my hosting was on a provider that required a lot of money (something like 100$/year) to enable SSL support, plus an SSL certificated costed at least 100-120$/year.

When I migrated my website on my own VPS on DigitalOcean I finally discovered that StartSSL was giving free class 1 certificates and I immediately got one. I made the mistake to just serve the admin pages using HTTPS, not all the website. I regretted about this decision after readin a couple of articles that were explaining how some internet providers where changing served HTTP pages injecting their own ads or banner. That was unacceptable to me and I swicthed the whole website to HTTPS.

Basically, if you don’t serve even your personal website using HTTPS, someone could change the page while it’s being transfered to the requester. Imagine if you have (like me) a page on your blog that let people download your public PGP key. Users could be served with a different key, so someone else would be able to decrypt a message intended for you only. Scary, isn’t it?

If you need more informations about how to request a StartSSL certificate and how to install it on Nginx/Apache, I can suggest this nice tutorial: https://konklone.com/post/switch-to-https-now-for-free

If you need to serve a WordPress website, that configuration is not enough. In that case you may want to have a look at my own Nginx configuration, available at this address: https://gist.github.com/andreagrandi/5de9dc9c4eb7e732764c

p.s: if you are you curious to try how Digital Ocean VPS works and fancy 10$ credit (enough for 2 months if you choose the basic droplet) for free, use this link and enjoy it https://www.digitalocean.com/?refcode=cc8349e328a5

Create an EncFS volume compatible with BoxCryptor Classic

If you are planning to share an encrypted volume between Linux/OSX and Windows (I will assume you are sharing it on Dropbox, but you could use any similar service) and you are using EncFS under Linux/OSX and BoxCryptor under Windows, there are some specifig settings to use when you create the EncFS volume. Infact even if BoxCryptor claims to be “encfs compatible”, it’s not 100%.

Suppose you want to create an encrypted volume located at $HOME/.TestTmpEncrypted and mounted at $HOME/TestTmp you need the following command:

answer “Y” when you are asked if you want to create the folders:

At this point you will need to select between default paranoia mode or advanced mode. Please choose the advanced one (x):

Manual configuration mode selected.

Select 256 as key size:

Choose 1024 as block size:

Select Stream as filename encoding:

Do NOT enable filename initialization vector chaining:

Do NOT enable per-file initialization vectors:

Do NOT enable external chained IV:

Do NOT enable random bytes to each block header:

Enable file-hole pass-through:

Finally you will see:

At this point set a passphrase for your new volume:

You should be able to mount this volume using BoxCryptor.

How to fix encfs installation on OSX 10.9 (Mavericks) and brew

After upgrading from OSX 10.8.x to 10.9 (Mavericks), encfs recipe is broken. First of all you have to fix a problem with a library header:

then you can install encfs using this remote brew recipe:

It’s also possible that you have to fix fuse4x installation before being able to use encfs (I had to do it):

That’s it! Please note that this is just a workaround (thanks to Giovanni Bajo for suggesting me the symlink fix). Please also note that this recipe uses fuse4x library and not the most updated osxfuse (but it works, anyway). Some other users reported me that there is a fix for the original brew recipe, and this one uses osxfuse. You can find it here https://gist.github.com/defunctzombie/7324625 but I haven’t tested it yet.

Update: to fully integrate encfs with OSX, I also suggest to follow this nice guide http://www.maketecheasier.com/install-encfs-mac/

How to fix a WordPress website hacked by “zend_framework” malware

I admit. This website, like thousands of others, has been hacked! I still have to identify the precise source of the attack, but I’ve found out that is very common. I was able to discover about the attack just because the dashboard of WordPress stopped working. I decided to investigate and I found this strind on top of every .php file http://pastebin.com/k0iQymRy

Just googling I discovered that I was not alone http://stackoverflow.com/questions/16963818/server-hacked-on-wordpress-files

How to fix this?

The best solution would be to restore the files with a valid backup, but sometimes this is not possible. Here comes an handy bash solution (note: you need to be able to access your hosting with a SSH shell to execute this command): http://pastebin.com/V3nFwwtZ