EncFS Encrypted Filesystem


EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.

As with most encrypted filesystems, Encfs is meant to provide security against off-line attacks; ie your notebook or backups fall into the wrong hands, etc. The way Encfs works is different from the “loopback” encrypted filesystem support built into the Linux kernel because it works on files at a time, not an entire block device. This is a big advantage in some ways, but does not come without a cost.

See also the extended introduction page if you are new to EncFS.

If you need help, please use the encfs-users mailing list

Slides from talk: In July 2005 I gave a presentation of EncFS at the Libre Software Meeting in France. Slides are available as PDF, or with last-minute changes in OpenOffice presentation format.


  • FUSE : 2.6 or newer for the latest EncFS 
  • rlog : a C++ logging library (also by me - see also rlog
  • OpenSSL - versions 0.9.6 through 0.9.8 have been tested
  • boost : C++ utility library 1.34 or later

Warning: OpenSSL versioning is messy.  Lots of changes occur even in minor letter updates (eg 0.9.8c -> 0.9.8d).


EncFS prompts the user for information, primarily when creating a new filesystem. EncFS prompts have been translated into many languages by volunteers. If your native language is not already supported, or only partially translated, please consider adding more translations online using the Rosetta interface

Bug Reporting

Please report bugs or feature requests here.

Download links and Release notes

Since the loss of Freshmeat, there is no longer an announcement site.  A low volume mailing list may be created for this purpose.

See also the encfs man page (installed with encfs), or here

Note: Downloads are signed with my PGP key (2EAF4D80). RPM files have an embedded signature, and tar files have a detached signature (.asc). If you have a PGP key and have verified other’s keys, you can check for a chain of trust at PGP Pathfinder.

In addition to the releases below, the latest code is also from GitHub.  

EncFS 1.7.4 -- November 18, 2010


Change Log

  • add new IV initialization mode to foil watermark attack - see this 2010-08 analysis.  The old IV setup is kept for backwards compatibility.
  • enables per-block random bytes feature to be used independently of per-block MAC.  Per-block random bytes (or MAC) is a workaround for issue #3 in the 2010-08 report above.
  • 1.7.1 is the same as 1.7.0, but fixed missing header file in previous tarball.
  • 1.7.2 fixes issues with passing certain mount options introduced in 1.7.0.
  • 1.7.3 fixes bug with --reverse option setting which causes files to be stored incorrectly.
  • 1.7.4 fixes chmod issue introduced in 1.7.3, affecting chmod usage in --public option.

Older releases:

1.6.0 (June 17, 2010) Change Log

  • allow symlink times to be modified.
  • try to maintain modtime during rename. Patch by p.kosseff.
  • fix compiler errors from gcc 4.x.
  • many build improvements for Mac OSX.
  • add commands to help script filesystem creation.
  • add multi-argument support to encfsctl encode/decode commands.  Patch by Nikratio.
  • support for boost > 1.41 (tested with boost 1.42 & boost 1.43).

1.5.0 (September 7, 2008) Change Log

Features / improvements:

  • support GCC 4.3 compiler (issue 1)
  • add new key derivation using OpenSSL's PBKDF2 with variable iteration count and 160 bit salt.  Note that existing filesystems created by version 1.4.2 (using the XML config format) will be converted to use PBKDF2 automatically if the password is changed via encfsctl.  The iteration count will be chosen to take approximatly 1/2 a second to compute in standard mode, or 3 seconds in paranoia mode.
 Bug fixes:
  • fixes for xattr calls on MacOS (issue 4 & 7)
  • fix build error with RLog 1.4

1.4.2 (April 13, 2008) Change Log

Features / improvements:

  • add option to pass-through file 'holes'.  Only available in expert mode. (launchpad 202200)
  • config file format changed to XML via boost serialization (config file is now .encfs6.xml)

Bug fixes:

  • remove ulockmgr support, caused numerous locking issues. (launchpad 184966, 200685)
  • fix symlink handling in encfsctl export (launchpad 201974)
  • fix stdinpass option parsing, reported by Scott Hendrickson
  • fix path suffix in encfsctl (January 15, 2008) Change Log

Bug fixes:

1.4.1 (January 12, 2008) Change Log 

Features / improvements: 

  • add new options from 1.4.0 to man page

Bug fixes:

  • return unencrypted link size on fstat of a symbolic link, otherwise git fails when working with symbolic links.  Reported by Daniel Clemente
  • chop off trailing newline from passwords passed via --stdinpass option (Launchpad bug 182214), patch by mpb.


1.4.0 (January 6, 2008) Change Log

Features / improvements: 
  • add on-demand mount option.  Combined with external password prompting & idle timeout, this allows user to be prompted for a password when filesystem is accessed.
  • reverse-encryption support by Keary Griffin, which produces an encrypted filesystem on-demand - useful in combination with rsync for creating a remote encrypted backup. 
  • run external password program via shell to allow passing arguments, patch by Liraz
  • pass through -o options to FUSE, for mounting through fstab (Launchpad bug 108649)
  • add -h option to encfssh, patch by Ryan Smith-Roberts

Bug fixes:

  • fix failure to undo a failed directory rename (Launchpad bug 160214)
  • don't close stderr when running in foreground 

Other Changes:

  • Update to libfuse 2.6 API, adding lock support through ulockmgr.
  • Replaced internal reference counting implementation with Boost C++ Library eliminating some complex (and potentially buggy) locking code.

Additional Resources / Third-Party Sites

EncFS Links

Third-party Links