I don't think there is anything really sensitive in the .encfs6
(currently named, used to be .encfs5
) file, the salt & iterations primarily stop rainbow tables, and may help slightly with a dictionary attack, but if you're using a dictionary word as a passphrase that's what really should change.
Even PGP/GPG encrypted files have the salt & count easily visible, adding -vv
will reveal them before the passphrase is asked for:
$ gpg -vv sample.gpg :symkey enc packet: version 4, cipher 9, s2k 3, hash 2 salt x0x0x0x0x0x0x0x0, count 99999 (99) gpg: AES256 encrypted data ...
If there were really a security concern with having such data easily visible, PGP/GPG would certainly be doing things differently.
Your efforts may be better spent finding a program to read & use the passphrase stored on a smart card/token, even automatically typing it into any clicked-on window may work, or a macro or similar?
Slightly related: The .encfs6
config file should definitely be backed up somewhere safe, if it were lost then you'd have to try guessing the salt & parameters to get back into your encrypted files, even knowing the passphrase it's not a simple quick task to recover access.