cryfs

Encrypt files in a mounted filesystem

TLDR

Mount an encrypted filesystem. The initialization wizard will be started on the first execution

$ cryfs [path/to/cipher_dir] [path/to/mount_point]

Unmount an encrypted filesystem

$ cryfs-unmount [path/to/mount_point]

Automatically unmount after ten minutes of inactivity

$ cryfs --unmount-idle [10] [path/to/cipher_dir] [path/to/mount_point]

List supported ciphers

$ cryfs --show-ciphers

SYNOPSIS

cryfs <encrypted_dir> <mount_point> [options]

cryfs --unmount <mount_point>

cryfs --unmount-all

cryfs --help

cryfs --version

--allow-other
    Allows users other than the mounter to access the filesystem. Requires user_allow_other in /etc/fuse.conf.

-c , --config
    Specifies an alternative configuration file for the CryFS volume.

--cipher-file
    Specifies an alternative cipher file for advanced key management.

-f, --foreground
    Runs CryFS in the foreground; useful for debugging.

-o , --options
    Passes comma-separated FUSE-specific mount options (e.g., ro, default_permissions).

--unmount
    Unmounts the specified CryFS volume.

--unmount-all
    Unmounts all currently mounted CryFS volumes.

--volume-key
    Provides the volume key directly, bypassing interactive password prompt (use with caution).

--help
    Displays a help message and exits.

--version
    Prints the CryFS version information and exits.

DESCRIPTION

CryFS is a free and open-source FUSE (Filesystem in Userspace) based encrypted filesystem. It aims to secure data stored in cloud services by encrypting not only file contents but also metadata like filenames, sizes, and directory structure. Unlike older solutions such as EncFS, CryFS mitigates metadata leaks, providing a higher level of privacy. It works by creating a hidden, encrypted directory (the "root directory") where actual encrypted data resides, and then presenting a decrypted, readable view at a specified "mount point." When files are written to the mount point, CryFS encrypts them and stores the blocks in the root directory. Reading files reverses this process. This makes it a robust solution for protecting sensitive data without relying on the cloud provider's encryption, ensuring that only you can access your information.

CAVEATS

Performance Overhead: Encryption and decryption add significant overhead, making CryFS noticeably slower than direct disk access, especially with numerous small files or high I/O.
Password Security: The strength of your data's protection entirely depends on the robustness of your chosen passphrase. A weak passphrase renders encryption ineffective.
Proper Unmounting: It is critical to unmount the CryFS volume correctly (e.g., using cryfs --unmount or fusermount -u) before system shutdown or removal of underlying storage. Improper unmounting can lead to data corruption.
Configuration Files: The cryfs.config file, stored within the encrypted directory, is essential for mounting the volume. Losing or corrupting this file can make your data irrecoverable. Ensure it is backed up if not handled automatically by your cloud sync.
FUSE Dependency: CryFS relies on the FUSE kernel module and user-space utilities to function, which must be installed and properly configured on the system.

<B>INITIAL SETUP</B>

The first time cryfs is run on a new pair of directories, it will interactively prompt for a new passphrase and optionally a salt to create the encrypted filesystem. This passphrase is fundamental for subsequent mounts and data access.

<B>USAGE WITH CLOUD SYNC</B>

CryFS is designed to work seamlessly with cloud synchronization tools. You place the encrypted root_dir inside your cloud sync folder (e.g., Dropbox, Google Drive), and mount the decrypted view locally. The cloud service only sees the encrypted data, protecting your privacy.

HISTORY

CryFS was developed as a modern, more secure alternative to existing FUSE-based encrypted filesystems, particularly addressing metadata leakage issues found in earlier solutions like EncFS. Development began around 2014-2015, driven by the increasing need for robust data encryption for cloud storage services. Its design focuses on strong cryptographic primitives and a block-based encryption approach to minimize information exposure, ensuring higher privacy by obfuscating file sizes, timestamps, and directory structures. This makes it suitable for environments where an adversary might have access to the raw encrypted data.