A walk outside the sandbox

Home Blog Cheat Sheets MacOS Tips Area 51 About

Store Encrypted Files on Google Drive




We’ll use the Grive Linux client for Google Drive and EncFS to create a ‘safe’ in the cloud, inside Google Drive and mount it locally:

1. Install Grive

~ sudo add-apt-repository ppa:nilarimogard/webupd8
~ sudo apt-get update
~ sudo apt-get install grive

2. Usage

Create a working folder :

~ mkdir ~/grive
~ cd ~/grive/

Initial setup will require an authorization token from Google. Paste the link generated by the following command into the browser, get the token and paste it into the application:

~ grive -a

Synchronization of all the files in the cloud:

~ grive

3. Create an encrypted safe

For this I’ve used EncFS to create an encrypted filesystem inside the folder for the Google Drive:

~ apt-get install encfs
~ mkdir -p ~/grive/safe
~ mkdir -p ~/safe

Mount the encrypted safe to a decrypted folder (equivalent to opening the safe). If EncFS cannot find a filesystem at the specified location, it will create a new encrypted file system there.

~ encfs ~/grive/safe/ ~/safe/

I’ve used the paranoia mode for the initial setup - AES-256, PBKDF2, 160 bit salt, External IV Chaining (More details about the settings in the man page). To verify that it was mounted correctly:

~ df -hT
encfs        fuse.encfs  455G  232G  200G  54% /home/liv/safe


To test the whole setup:

~ cd ~/safe/
~ echo "secret" > test.txt
~ cat test.txt
~ ls ~/grive/safe/

Unmount the encrypted volume (close the safe):

~ sudo fusermount -u ~/safe


  • Issue #1: EncFS uses a file named .encfs6.xml to define the encrypted storage settings. This hidden file is not synchronized by Grive.

Solution: Get a patched version of Grive or rename the file and store it on Google Drive. After synchronizing Grive on another machine, rename the encfs6.xml file to .encfs6.xml.

  • Issue #2: Permission denied for /dev/fuse for the current user.
fusermount: failed to open /dev/fuse: Permission denied

Solution: Add the current user to the fuse group:

~ usermod -aG fuse 
~ reboot