encfs on CentOS 6 can’t mount as normal user
EncFS Permission Denied Error for Non-Root Users
When trying to mount an encrypted EncFS directory as a normal user, you may encounter this error:
$ encfs -s ~/t/.enc ~/t/enc
EncFS Password:
fuse: failed to exec fusermount: Permission denied
fuse failed. Common problems:
- fuse kernel module not installed (modprobe fuse)
- invalid options -- see usage messageEven though the same command works fine when run as root, regular users get a permission denial. This is a FUSE (Filesystem in Userspace) access control issue, not a missing module or configuration problem.
Root Cause
EncFS relies on FUSE to create encrypted virtual filesystems. By default, FUSE operations require either root privileges or membership in the fuse group. Since root can perform any operation, encfs works without restriction. Regular users need explicit permission to use the FUSE device.
Solution: Add User to fuse Group
To enable a normal user to mount EncFS directories, add them to the fuse group:
sudo usermod -a -G fuse usernameReplace username with the actual username. The -a flag appends to existing groups without removing the user from other groups.
After adding the user to the fuse group, the user must log out and log back in (or start a new shell session) for group membership changes to take effect.
Verify group membership with:
id usernameYou should see fuse listed in the groups output.
Verify FUSE Permissions
Check that the FUSE device has proper permissions:
ls -la /dev/fuseYou should see output similar to:
crw-rw-rw- 1 root fuse 10, 229 Jan 15 10:23 /dev/fuseThe rw permissions for the group allow fuse group members to access the device.
Testing EncFS
Once the user is in the fuse group and has logged back in, mounting should work:
encfs ~/t/.enc ~/t/enc
EncFS Password: No sudo required. To verify the mount was successful:
mount | grep encfs
ls ~/t/encAlternative: Using fusermount with sudo
If you need a temporary solution or prefer not to modify group membership, you can grant sudo access to fusermount specifically:
Add this line to sudoers (via sudo visudo):
username ALL=(ALL) NOPASSWD: /usr/bin/fusermount, /usr/bin/fusermount3However, this still requires the user to run encfs with sudo, which is less convenient and less secure than using group membership.
Troubleshooting
If the error persists after adding the user to the fuse group:
- Verify the fuse package is installed:
rpm -q fuse fuse-libson RHEL/CentOS/Rocky Linux - Check if fusermount3 exists: Modern systems use
fusermount3. Verify withwhich fusermount3 - Confirm SELinux isn’t blocking access: Check
sudo audit2allow -afor denied operations - Test with a fresh login: SSH in as the user in a new session rather than using
suorsudo su
Security Considerations
Adding users to the fuse group grants permission to mount user-space filesystems, which can be a security concern in multi-tenant environments. Users can mount arbitrary FUSE filesystems that could potentially affect system performance or access. For production systems with strict security requirements, consider using mandatory access control policies via SELinux or AppArmor instead.