cryfs
Encrypt files in a mounted filesystem
TLDR
Mount an encrypted filesystem. The initialization wizard will be started on the first execution
Unmount an encrypted filesystem
Automatically unmount after ten minutes of inactivity
List supported ciphers
SYNOPSIS
cryfs <encrypted_dir> <mount_point> [options]
cryfs --unmount <mount_point>
cryfs --unmount-all
cryfs --help
cryfs --version
PARAMETERS
--allow-other
Allows users other than the mounter to access the filesystem. Requires user_allow_other in /etc/fuse.conf.
-c
Specifies an alternative configuration file for the CryFS volume.
--cipher-file
Specifies an alternative cipher file for advanced key management.
-f, --foreground
Runs CryFS in the foreground; useful for debugging.
-o
Passes comma-separated FUSE-specific mount options (e.g., ro, default_permissions).
--unmount
Unmounts the specified CryFS volume.
--unmount-all
Unmounts all currently mounted CryFS volumes.
--volume-key
Provides the volume key directly, bypassing interactive password prompt (use with caution).
--help
Displays a help message and exits.
--version
Prints the CryFS version information and exits.
DESCRIPTION
CryFS is a free and open-source FUSE (Filesystem in Userspace) based encrypted filesystem. It aims to secure data stored in cloud services by encrypting not only file contents but also metadata like filenames, sizes, and directory structure. Unlike older solutions such as EncFS, CryFS mitigates metadata leaks, providing a higher level of privacy. It works by creating a hidden, encrypted directory (the "root directory") where actual encrypted data resides, and then presenting a decrypted, readable view at a specified "mount point." When files are written to the mount point, CryFS encrypts them and stores the blocks in the root directory. Reading files reverses this process. This makes it a robust solution for protecting sensitive data without relying on the cloud provider's encryption, ensuring that only you can access your information.
CAVEATS
Performance Overhead: Encryption and decryption add significant overhead, making CryFS noticeably slower than direct disk access, especially with numerous small files or high I/O.
Password Security: The strength of your data's protection entirely depends on the robustness of your chosen passphrase. A weak passphrase renders encryption ineffective.
Proper Unmounting: It is critical to unmount the CryFS volume correctly (e.g., using cryfs --unmount or fusermount -u) before system shutdown or removal of underlying storage. Improper unmounting can lead to data corruption.
Configuration Files: The cryfs.config file, stored within the encrypted directory, is essential for mounting the volume. Losing or corrupting this file can make your data irrecoverable. Ensure it is backed up if not handled automatically by your cloud sync.
FUSE Dependency: CryFS relies on the FUSE kernel module and user-space utilities to function, which must be installed and properly configured on the system.
<B>INITIAL SETUP</B>
The first time cryfs is run on a new pair of directories, it will interactively prompt for a new passphrase and optionally a salt to create the encrypted filesystem. This passphrase is fundamental for subsequent mounts and data access.
<B>USAGE WITH CLOUD SYNC</B>
CryFS is designed to work seamlessly with cloud synchronization tools. You place the encrypted root_dir inside your cloud sync folder (e.g., Dropbox, Google Drive), and mount the decrypted view locally. The cloud service only sees the encrypted data, protecting your privacy.
HISTORY
CryFS was developed as a modern, more secure alternative to existing FUSE-based encrypted filesystems, particularly addressing metadata leakage issues found in earlier solutions like EncFS. Development began around 2014-2015, driven by the increasing need for robust data encryption for cloud storage services. Its design focuses on strong cryptographic primitives and a block-based encryption approach to minimize information exposure, ensuring higher privacy by obfuscating file sizes, timestamps, and directory structures. This makes it suitable for environments where an adversary might have access to the raw encrypted data.
SEE ALSO
fuse(4), mount(8), fusermount(1), encfs(1), ecryptfs(7)