credfs – Protect your plaintext credentials

As promised here comes the distribution of credfs source code. To use it, just unpack it somewhere, cd to the credfs directory, run ./ and follow the instructions.

You will need FUSE, libcryptopp and libarchive in your system and specify appropriate include/library directives in the Makefile. The one that comes with the distribution is tuned for MacPorts on OSX with OSXFUSE.

./ will ask you to name the files you want to protect, then list the binaries which are supposed to be able to access it and then if everything works as expected (compilation of support tools) dedicated config.cpp and data.cpp will be generated upon which a credfs binary will be built.

Now as long as you’re logged in as yourself you can run ./credfs <mountpoint> to mount your encrypted filesystem. Then you can check that only authorized binaries will ever be able to open and read the file.

As you can see it’s a pretty easy and painless process. If only user detection was more reliable on any UN*X OS. But it’s a nontrivial issue of course… and would require limitation of root user access (probably using something like SELinux or other mandatory access control mechanism).

Anyway, enjoy this piece of software because to date it’s the easiest way to quickly secure your Samba credentials for usage with /etc/fstab or directly mount.cifs.


And once again, this one is cordially dedicated to Sara.


  • Has anyone succeeded in compiling this on 64-bit Red Hat Linux? I’ve tried to compile it on a RHEL5 and a RHEL6 box, and running ./ fails with:

    Compiling necessary tools…
    g++ prep_aes.cpp -o prep_aes
    In file included from /usr/include/fuse/fuse.h:26,
    from /usr/include/fuse.h:9,
    from prep_aes.cpp:35:
    /usr/include/fuse/fuse_common.h:32:2: error: #error Please add -D_FILE_OFFSET_BITS=64 to your compile flags!
    make: *** [prep_aes] Error 1
    Tools compilation failed. Unable to continue…

    I have already updated the #include statements in prep_aes.cpp and prep_sha.cpp.

    Where should I insert the -D_FILE_OFFSET_BITS=64 compile flag? Unzipping the source code file doesn’t present me with a Makefile, so I’m not sure where this flag should go.

    • Dang this is strange. Normally there should be a Makefile. I’ll take another look at the source code and post an update.

Leave a Reply

Your email address will not be published. Required fields are marked *