THC’s encrypted cloud based file system

The Hacker's Choice
Jun 16 · 2 min read
Image for post
Image for post


It’s a bash script. It adds a new file system to your local computer. All data is locally encrypted (including the file name). The encrypted data (and only that!) is stored in the cloud. The data remains secure even if the cloud server is compromised. It does not need root or superuser privileges. No need to run your own server. It feels like a normal directory with all the encryption and cloud-synchronisation happening in the background. All you need is the bash script (literally). It’s one single command to add and use a file system:

$ erfs mount aDe5F2ik3x35x7pfAEAWdC5Y ~/secure


The bash script makes use of two existing tools: sshfs and EncFS. Please read the Technical Details for more information.

A securely mounted remote filesystem is called an ‘ERFS’ (pronounced Örfz): Encrypted Remote File System.

The bash-script is available from

THC runs this as a service and provides the server side and data storage for free. However, there is a detailed explanation of how to run your own server. The server comes as a Docker-Container for rapid deployment on any of the major cloud platforms.

Why you need ERFS

  1. It allows you to share a file with somebody you do not know or do not trust anonymously. Both parties simply mount the same ERFS and un-mount it when done.
  2. During pen(-testing) you may need a 0day at the front-line or send logs back to HQ. Using ERFS makes this easier: Mount the same ERFS at the forward deployment and at HQ and exchange data seamlessly.
  3. It does not require any key management or key infrastructure. It is super easy to use thanks to the Deterministic Key Derivation method (like bitcoin uses for HD-wallets).


All key material is created on your local computer. No keys are ever sent or stored on the server. It uses Deterministic Key Derivation (like Bitcoin does).

The server does not need to be trusted. The data remains secure even if the server gets compromised.

All source code is public (GitHub).


I get 8–12 Mbit/sec upload and 20–30 Mbit/sec download speeds. It’s about 10% slower than just using sshfs without EncFS on top.

Join us on Telegram:

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store