On older (rooted) Android versions, Cryptonite was a great solution to mount EncFS encrypted folders, but on my new Android KitKat phone with an emulated storage, that fails.
I can successfully mount the encrypted folder in
/storage/emulated/legacy onto another folder in
/storage/emulated/legacy, but then the decrypted files are not visible to other apps. How do I mount an EncFS folder the right way?
The problem turns out to be a new security feature in KitKat. Apps by default have their own mount namespace, which means that mounts created by one app are not visible to a different app.
Secondly, Android phones without a real SD card use emulation for the fake SD card, and that gave me some problems.
SuperSU from Chainfire has an option to access the root mount namespace that allows a program to mount filesystems and have them visible to all other programs. Unfortunately, Cryptonite doesn't know bout this option. One solution is to interpose a script before the
encfs binary that Cryptonite uses.
You will need a root shell to run these commands, probably from a computer using
adb to connect to your phone over usb. (But using a terminal app could also work.)
Move to the cryptonite data directory:
Note the Cryptonite user id:
ll -d -n .
This will give output similar to
drwxr-x--x 11 10133 10133 4096 Feb 14 23:51 . The 10133 is the user id of Cryptonite (the second copy is the Cryptonite group id, but that should be the same).
Create a folder to store the original encfs binary in, and give it the right owership
mkdir original chown 10133:10133 original
(replace the 10133 with the user id cryptonite has on your phone)
Move the original encfs away
mv encfs original/
Create a script named
encfs to interpose for the real encfs. I prefer to use the
nano command for this, but you could also create the file in a different way and move it using the command
cp /path/to/encfs/replacement/file/here /data/data/csh.cryptonite/encfs
Put the following content into the replacement encfs script
#!/system/bin/sh cmd=/data/data/csh.cryptonite/original/encfs for param in "$@" do replaced=`echo "$param" | sed 's:^/storage/emulated/:/data/media/:'` cmd="$cmd $replaced" done su -mm -c $cmd
Save the file with ctrl-x (volume down + x on some terminal emulator apps), answer
y to save.
Make the replacement script executable
chmod +x encfs
Set the right owner
chown 10133:10133 encfs
(Again replace the 10133 with the user id Cryptoite has on your phone)
That should be it. Mounting an encfs folder from
/storage/emulated/0/ onto a different folder in
/storage/emulated/0 should work now.
What it does
The replacement script does two things: replace paths to folders from
/storage/emulated/something to the actual place where the emulated SD card data is stored, and call the real encfs in the root mount namespace so that the mounted encfs folder is visible to al apps.
Changing the folder paths is necessary because for some reason mounting on the emulated SD card doesn't work (at least for me). The emulated SD card in fact stores its data in
/data/media/0. By mounting on the actual storage location the SDcard emulation layer doesn't need to know that there is a different filesystem involved.
Directly mounting a file on
/data/media/0 from Cryptonite doesn't work because the Cryptonite app doesn't have access to tha folder, so the replacement script changes the paths of the mountpoint and encrypted folder to point to the underlying SD card storage.
I have no problems to mount containers with EDS App correct work with all Android version