cryfs

Create and mount an encrypted filesystem

$ cryfs [path/to/cipher_dir] [path/to/mount_point]

$ cryfs --config [cryfs.config] [cipher_dir] [mount_point]

$ cryfs-unmount [path/to/mount_point]

$ cryfs-change-password [path/to/cipher_dir]

$ cryfs --show-ciphers

$ cryfs -f [cipher_dir] [mount_point]

cryfs [options] cipherdir mountpoint

CryFS is a cryptographic filesystem designed specifically for cloud storage services like Dropbox, Google Drive, or OneDrive. Unlike other encrypted filesystems, CryFS encrypts not just file contents but also file sizes, metadata, and directory structure.
Files are split into fixed-size blocks that are individually encrypted and stored with random names. This prevents cloud providers and attackers from learning anything about your data, including which files changed and how large they are.
The encrypted data is stored in the cipher directory, which can be synced with cloud services. The mount point shows the decrypted view of your files. CryFS uses authenticated encryption with AES-256-GCM by default.

CIPHERDIR_

Directory where encrypted data is stored.

Directory where the decrypted filesystem is mounted.

Use specified configuration file.

Run in foreground instead of daemonizing.

Allow upgrading the filesystem format.

Show available cipher options.

Automatically unmount after idle time.

Write logs to specified file.

~/.cryfs/config

Stores filesystem configuration and cipher settings.

Performance is lower than unencrypted filesystems due to encryption overhead and block-based storage. The cipher directory should be synced, not the mount point. Forgetting the password means permanent data loss. FUSE must be available on the system.

CryFS was created by Sebastian Messmer as his master's thesis project, with the first release in 2015. It was designed to address privacy concerns with cloud storage, providing stronger confidentiality guarantees than traditional encrypted filesystems like EncFS.

encfs(1), gocryptfs(1), veracrypt(1), fusermount(1)