4.22 Protect remote files by encryption

Note: File encryption in TRAMP is experimental, don’t use it in production systems!

Sometimes, it is desirable to protect files located on remote directories, like cloud storages. In order to do this, you might instruct TRAMP to encrypt all files copied to a given remote directory, and to decrypt such files when accessing. This includes both file contents and file names.

TRAMP does this transparently. Although both files and file names are encrypted on the remote side, they are accessible inside Emacs as they wouldn’t be transformed as such.

Internally, TRAMP uses the encfs package. Therefore, this feature is available only if this package is installed on the local host. TRAMP does not keep and ‘encfs mountpoint’ permanently. Instead, it encrypts / decrypts files and file names on the fly, using encfsctl.

Command: tramp-crypt-add-directory name

This command marks the existing remote directory name for encryption. Files in that directory and all subdirectories will be encrypted before copying to, and decrypted after copying from that directory. File and directory names will be also encrypted.

User Option: tramp-crypt-encfs-option

If a remote directory is marked for encryption, it is initialized via encfs the very first time a file in this directory is accessed. This user option controls, which default encfs configuration option will be selected, it can be "--standard" or "--paranoia". See the ‘encfs(1)’ man page for details.

However, TRAMP must adapt these configuration sets. The chainedNameIV configuration option must be disabled; otherwise TRAMP couldn’t handle file name encryption transparently.

A password protected encfs configuration file is created the very first time you access an encrypted remote directory. It is kept in your user-emacs-directory with the url-encoded directory name as part of the basename, and encfs6.xml as suffix. If you, for example, mark the remote directory /nextcloud:user@host:/path/to/dir for encryption, the configuration file is saved as tramp-%2Fnextcloud%3Auser%40host%3A%2Fpath%2Fto%2Fdir%2F.encfs6.xml in user-emacs-directory. Do not lose this file and the corresponding password; otherwise there is no way to decrypt your encrypted files.

User Option: tramp-crypt-save-encfs-config-remote

If this user option is non-nil (the default), the encfs configuration file .encfs6.xml is also kept in the encrypted remote directory. It depends on you, whether you regard the password protection of this file as sufficient. The advantage would be, that such a remote directory could be accessed by different Emacs sessions, different users, without presharing the configuration file between the users.

The command encfsctl, the workhorse for encryption / decryption, needs the configuration file password every call. Therefore, it is recommend to cache this password in Emacs. This can be done using auth-sources, Using an authentication file. An entry needs the url-encoded directory name as machine, your local user name as user, and the password. The port is optional, if given it must be the string "crypt". The example above would require the following entry in the authentication file ("yourname" is the result of (user-login-name)):

machine %2Fnextcloud%3Auser%40host%3A%2Fpath%2Fto%2Fdir%2F \
        login yourname port crypt password geheim

If you use a remote file name with a quoted localname part, this localname and the corresponding file will not be encrypted / decrypted. If you have an encrypted remote directory /nextcloud:user@host:/path/to/dir, the command

C-x d /nextcloud:user@host:/path/to/dir

will show the directory listing with the plain file names, and the command

C-x d /nextcloud:user@host:/:/path/to/dir

will show the directory listing with the encrypted file names, and visiting a file will show its encrypted contents. However, it is highly discouraged to mix encrypted and not encrypted files in the same directory.

Command: tramp-crypt-remove-directory name

This command should be used to indicate that files in name should no longer be encrypted. Existing encrypted files and subdirectories will remain encrypted.