Fix encfs under OSX after upgrading to 10.11.2

Posted on Wed 09 December 2015 in HowTo, OSX • Tagged with bug, encfs, security

After having upgraded OSX to 10.11.2 on my MacBook, I noticed that my encfs volume didn't mount after reboot. I tried to run the script manually and all I got was this error:

dyld: Symbol not found: __ZN5boost7archive17xml_iarchive_implINS0_12xml_iarchiveEE13load_overrideERNS0_15class_name_typeEi
  Referenced from: /usr/local/Cellar/encfs/1.8.1/lib/libencfs.6.dylib
  Expected in: /usr/local/lib/libboost_serialization-mt.dylib
in /usr/local/Cellar/encfs/1.8.1/lib/libencfs.6.dylib

I quickly found that was a common problem caused by a new version of Boost being installed:

To fix it, you just need to reinstall encfs using this command

brew reinstall -s encfs

How to configure EncFS on OSX 10.10 (Yosemite)

Posted on Sun 11 October 2015 in HowTo, OSX, Sicurezza • Tagged with cloud, encfs, encryption, OSX, security

With EncFS it's possible to keep our data in almost any cloud (Dropbox, OneDrive, etc...), having a good level of privacy and security. Infact EncFS encrypt and decrypt our data automatically. It's available for Linux as well and using a commercial solution (that is currently unsupported) even on Windows.

Installing EncFS

EncFS can be installed from brew. If you don't have brew package manager installed on OSX you can install it using this command:

ruby -e "$(curl -fsSL"

After brew, you need to install OSXFuse from this website

Finally you can install encfs using this command:

brew install homebrew/fuse/encfs

Configuring the encrypted folder

Now that EncFS is installed, you can either mount an existing EncFS volume or create a new one. In both cases the command is the same:

encfs ~/Dropbox/Private ~/Private

If you are mounting an existing encrypted volume, you will be prompted for the password. If you are creating a new encrypted volume you will be asked some questions about EncFS parameters.

Note: if it's important for you to keep compatibility with BoxCryptor Classic (in case you want to use the same volume under Windows), please refer to this other article I wrote:

Mount the encrypted volume on startup

First of all you need to save the volume's password inside the OSX keychain. Open the app Keychain Access and create a new entry with name encfs and account value encfs, then write your password and click Add:


Once the password is saved, open a text editor and paste this script and save it as inside your \$HOME folder:

# Secure EncFS Dropbox mounter by Daniel Widerin <[email protected]>


mount | grep $TARGET >/dev/null
[[ "$?" -eq "0" ]] && /usr/sbin/diskutil unmount $TARGET

if [ ! -d $TARGET ]; then
echo "Create new mountpoint $TARGET"
mkdir $TARGET
chmod 0700 $TARGET

$ENCFS $SOURCE $TARGET --extpass="security 2>&1 >/dev/null find-generic-password -gl '$KEYCHAIN_PASSWORD' |grep password|cut -d \\\" -f 2" -ovolname=$VOLUME_TITLE

Make it executable:

chmod +x ~/

Open AppleScript editor and paste this text inside and save as an app in the \$HOME folder:

apple script

do shell script "$HOME/"

Finally, open "System Preferences" -> "Users & Groups" and add the previously saved application.

system preferences

Final notes

At this point encfs is configured to be mounted at startup and to save the encrypted files inside Dropbox. Please note: do not save anything directly on ~/Dropbox/Private, only read and save your files from ~/Private


Create an EncFS volume compatible with BoxCryptor Classic

Posted on Fri 12 September 2014 in HowTo, Linux, Sicurezza • Tagged with boxcryptor, dropbox, encfs

If you are planning to share an encrypted volume between Linux/OSX and Windows (I will assume you are sharing it on Dropbox, but you could use any similar service) and you are using EncFS under Linux/OSX and BoxCryptor under Windows, there are some specifig settings to use when you create the EncFS volume. Infact even if BoxCryptor claims to be "encfs compatible", it's not 100%.

Suppose you want to create an encrypted volume located at $HOME/.TestTmpEncrypted and mounted at $HOME/TestTmp you need the following command:

encfs ~/.TestTmpEncrypted ~/TestTmp

answer "Y" when you are asked if you want to create the folders:

The directory "/home/andrea/.TestTmpEncrypted/" does not exist. Should it be created? (y,n) y
The directory "/home/andrea/TestTmp" does not exist. Should it be created? (y,n) y

At this point you will need to select between default paranoia mode or advanced mode. Please choose the advanced one (x):

Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> x

Manual configuration mode selected.

Select AES as cypher algorithm:

The following cypher algorithms are available:
1. AES : 16 byte block cipher
-- Supports key lengths of 128 to 256 bits
-- Supports block sizes of 64 to 4096 bytes
2. Blowfish : 8 byte block cypher
-- Supports key lengths of 128 to 256 bits
-- Supports block sizes of 64 to 4096 bytes

Enter the number corresponding to your choice: 1

Selected algorithm "AES"

Select 256 as key size:

Please select a key size in bits. The cypher you have chosen
supports sizes from 128 to 256 bits in increments of 64 bits.
For example:
128, 192, 256
Selected key size: 256

Using key size of 256 bits

Choose 1024 as block size:

Select a block size in bytes. The cypher you have chosen
supports sizes from 64 to 4096 bytes in increments of 16.
Alternatively, just press enter for the default (1024 bytes)

filesystem block size:

Using filesystem block size of 1024 bytes

Select Stream as filename encoding:

The following filename encoding algorithms are available:
1. Block : Block encoding, hides file name size somewhat
2. Null : No encryption of filenames
3. Stream : Stream encoding, keeps filenames as short as possible

Enter the number corresponding to your choice: 3

Selected algorithm "Stream""

Do NOT enable filename initialization vector chaining:

Enable filename initialization vector chaining?
This makes filename encoding dependent on the complete path,
rather then encoding each path element individually.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes: no

Do NOT enable per-file initialization vectors:

Enable per-file initialization vectors?
This adds about 8 bytes per file to the storage requirements.
It should not affect performance except possibly with applications
which rely on block-aligned file io for performance.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes: no

Do NOT enable external chained IV:

External chained IV disabled, as both 'IV chaining'
and 'unique IV' features are required for this option.
Enable block authentication code headers
on every block in a file? This adds about 12 bytes per block
to the storage requirements for a file, and significantly affects
performance but it also means [almost] any modifications or errors
within a block will be caught and will cause a read error.
The default here is No.
Any response that does not begin with 'y' will mean No: no

Do NOT enable random bytes to each block header:

Add random bytes to each block header?
This adds a performance penalty, but ensures that blocks
have different authentication codes. Note that you can
have the same benefits by enabling per-file initialisation
vectors, which does not come with as great a performance
Select a number of bytes, from 0 (no random bytes) to 8: 0

Enable file-hole pass-through:

Enable file-hole pass-through?
This avoids writing encrypted blocks when file holes are created.
The default here is Yes.
Any response that does not begin with 'n' will mean Yes: yes

Finally you will see:

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cypher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/stream", version 2:1:2
Key Size: 256 bits
Block Size: 1024 bytes
File holes passed through to ciphertext.

At this point set a passphrase for your new volume:

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:

You should be able to mount this volume using BoxCryptor.

How to fix encfs installation on OSX 10.9 (Mavericks) and brew

Posted on Fri 08 November 2013 in HowTo, OSX, Sicurezza • Tagged with cloud, encfs, encryption, fuse4x, OSX, security

After upgrading from OSX 10.8.x to 10.9 (Mavericks), encfs recipe is broken. First of all you have to fix a problem with a library header:

sudo ln -s /usr/include/sys/_endian.h /usr/include/sys/endian.h

then you can install encfs using this remote brew recipe:

brew reinstall

It's also possible that you have to fix fuse4x installation before being able to use encfs (I had to do it):

sudo /bin/cp -rfX /usr/local/Cellar/fuse4x-kext/0.9.2/Library/Extensions/fuse4x.kext /Library/Extensions
sudo chmod +s /Library/Extensions/fuse4x.kext/Support/load_fuse4x

That's it! Please note that this is just a workaround (thanks to Giovanni Bajo for suggesting me the symlink fix). Please also note that this recipe uses fuse4x library and not the most updated osxfuse (but it works, anyway). Some other users reported me that there is a fix for the original brew recipe, and this one uses osxfuse. You can find it here but I haven't tested it yet.

Update: to fully integrate encfs with OSX, I also suggest to follow this nice guide