1. Anything is better than no encryption at all
    Even though I consider the following points quite important, they really are just things you should be aware of. For example, I certainly wouldn't have encrypted all my devices if I had to enter my password each time or even click some additional button. The Gnome Encfs Manager can automatically mount and unmount the stashes on removable devices without any user activity, so it absolutely makes no difference whether they are encrypted or not. Just decide for yourself how much privacy you want for which data.
  2. Disable tracking and indexing
    Most desktop environments and applications are indexing / tracing / caching etc. all of your actions and files nowadays. Such mechanism are the natural enemy of privacy and encryption. It's normally a nice thing to have, but you don't want that for your private data. That's why I recommend to have only one folder (I use ~/Encfs) which contains all mount points (I also have my stashes in there because it is just a waste of time if your system indexes encrypted files and folders). It's easier to exclude one folder from indexing than to configure all of them separately. To sum it up, users of Nepomuk should take a look at "Customize index folders..." found in the file indexing settings and Zeitgeist-users, well, I don't really know. Ubuntu has a "Privacy"-panel in the system settings where you can exclude some folders from tracking. It's kind of minimalistic but seems to work ;-) IIRC, Ubuntu also enables mlocate by default. Does someone know whether the privacy settings affect that as well? (It's always among the first things I uninstall everywhere hence I am not really familiar with it)
  3. Use a sand-boxed environment
    Unfortunately most applications don't respect privacy settings and still cache data wherever they can. Especially file managers tend to cache lots of data. Again, it's normally a nice thing to have, but you don't want that for your private data. Have you ever wondered, why the Gnome Encfs Manager didn't have an "open in file manager when mounted"-option for a long time? There you have the reason. Of course you could use xdg-open "$MOUNT_DIR" as the post_mount_command if you really wanted do do that, but the ability to execute custom commands / scripts when mounting and unmounting allowed for better solutions. Actually #01 convinced me in the end to add it nevertheless. However, I recommend the usage of some scripts to set up and destroy a fitting environment to work with your mounted stashes. (For some inspiration, you can can take a look at my "cnemo"-script)
  4. Use the keyring wisely
    The Gnome Encfs Manager allows you to save the passwords for your stashes inside the keyring which is automatically unlocked when you log into your desktop. While this is undoubtedly convenient and practical for data you put on the internet (cloud-folders etc.) it might not be a good idea the save the passwords there when you want to protect the data from the people around you. Recent versions of GEncfsM allow the usage of separate keyrings through the variable "keyring_name" and you might want to use this option when you store the passwords for you devices etc.
  5. Unmount unused stashes
    As long as your stashes are mounted, they are not save! While this point is probably only relevant for stashes for which you didn't save the password in the keyring, it is something you should keep in mind. Even though the probability is rather low that someone unauthorized gets access to your computer, it's better to be on the save side and to keep at least your passwords and important documents always locked away and only mount them for a short amount of time when needed.

To be continued and please don't hesitate to leave your comments.

14 Responses to “Some things you should be aware of when working with encrypted folders”

  1. zed
    June 4th, 2013 at 08:40

    concerning point 3 i just symlink .thumbnails to /tmp and voila, all thumbnails disappear at reboot with no trace on disk.

  2. Florin
    March 31st, 2014 at 19:10

    Hello, could you please teach me how to properly use “keyring_name” ?
    I have this configuration.
    I have moved the xml file in the Documents folder

    encfs_config_file: .encfs6.xml

    keyring_name: /home/user/Documents

    But stil can’t mount it.
    (Linux Mint 16 – Cinnamon)
    Please help.

  3. Moritz
    March 31st, 2014 at 19:16

    keyring_name sets the keyring in which the password is saved. What you actually want to do is to set the variable encfs_config_file from “.encfs6.xml” to “/home/user/Documents/.encfs6.xml”.

    Regards, Moritz

  4. Florin
    April 1st, 2014 at 11:52

    thank you for the quick response
    I tried something similar but it did not work like “/home/User/Documents/Document/Encryption/Blablabla”…
    I think the path is too long
    now with xml file in Documents, it works!
    Thank you very much!!

  5. Jim
    August 13th, 2014 at 17:24

    I installed gnome-encfs-manager with Ububti 14.04, started it, got the GUI and accessed a stash OK, but after a shutdown and restart gnome-encfs-manager is running in the back ground and I am unable to get the GUI back. There is no task bar icon.

    How do I wake it up?

  6. Jim
    August 13th, 2014 at 17:25

    Sorry about the spelling. S/B Ubuntu.

  7. Moritz
    August 13th, 2014 at 18:21

    GEncfsFM starts in the tray once it is configured.
    You can disable that behaviour in a terminal with
    gnome-encfs-manager set_pref start_minimized=false

  8. J. Joao
    August 16th, 2014 at 08:00

    You saved my day
    “gnome-encfs-manager set_pref start_minimized=false”

  9. Florent V.
    November 11th, 2014 at 13:49

    Hi, i have spent hours trying to figure out how to “display” the gui when using gnome encfs, but when you are on Arch with Gnome-shell and you did not install appindicator: no systray icon by default! and since it was started minimized.. nothing was displayed at all.

    But with the command: gnome-encfs-manager set_pref start_minimized=false
    the application window is displayed when starting.

    Thank you Moritz, i think you should add this trick in the docs somewhere.

    Edit: also, for those having issues with the mountpoint missing the first caracter in the gui you have to use double slash // in front of it. Example:

    path to dir: /home/me/documents/crypted
    mount point: //home/me/documents/decrypted

    otherwise you will end-up with an error message from encfs daemon saying that you have to use absolute path with the ‘/’ because, i dont know if it comes from gnome manager or encfs, but the first letter gets “eaten” sometimes.(encfs 1.7.4 / GEncfsM 1.8.12)


  10. Moritz
    December 20th, 2014 at 00:03

    @Florent V.
    When using Gnome Shell, the icon should sit in the messages bar which is accessible via Super+M.

    The missing first character might be related to https://bugs.launchpad.net/gencfsm/+bug/1275723
    Unfortunately I was never able to reproduce this hence I couldn’t fix it.

  11. bookwrk
    July 11th, 2015 at 12:10

    I have a big problem . I have deleted the path of my encrypted and mount direcotry
    (no warning while deleting the path any users can delete this path its a big BUG)
    path to dir: /home/me/documents/crypted
    mount point: //home/me/documents/decrypted

    from the manager. but the encrypted directory exists, i only deleted the path.

    Do you know how i can mount the this encrypted directory to a new directory? urgent!!

  12. Uwe Brauer
    March 31st, 2017 at 10:46


    I use the login method, which mounts my 3 secret folders.

    But then I unmount before I copy to an USB. (otherwise what is the point of encrypting)

    The question is. After the coping, how can I remount, without typing the password for
    each directory, when I do it manually?

    or in other words: how can I use the login method again, without logout and login?

    Uwe Brauer

  13. Nirav Chhayani
    December 18th, 2019 at 03:22

    I forgot my password. Is there any way to reset the password or recover the data?

Leave a Comment

I respect your privacy
I don't run any trackers on this site.

Your questionable browsing-history should remain between you and the NSA ;-)