gocryptfs

Initialize an encrypted filesystem

$ gocryptfs -init [path/to/cipher_dir]

$ gocryptfs [path/to/cipher_dir] [path/to/mount_point]

$ gocryptfs --masterkey [path/to/cipher_dir] [path/to/mount_point]

$ gocryptfs --passwd [path/to/cipher_dir]

$ gocryptfs --reverse [path/to/plain_dir] [path/to/cipher_dir]

gocryptfs [options] plaintext_dir ciphertext_dir

-allow_other
    Allow other users to access the decrypted files. Use with caution as it can weaken security.

-aessiv
    Use AES-SIV for file encryption. This is deprecated due to potential security vulnerabilities. Avoid using.

-config
    Path to the gocryptfs.conf file. Defaults to ciphertext_dir/gocryptfs.conf.

-diriv_per_file
    Derive the IV from the file name and file content. This is the default setting since v2.1.

-extpass
    External password command. Runs the specified command and uses its output as the password. Example: '-extpass "/usr/bin/pass mysecret"'.

-fido2
    Use a FIDO2 token for password storage and authentication.

-fsck
    Run in filesystem check mode. Checks the integrity of the ciphertext directory.

-init
    Initialize a new gocryptfs filesystem in the ciphertext directory. This will prompt you to create a password.

-notifystack
    Send all notifications to a specific stack in notify-send (only relevant when using `-wpanic`).

-o
    Pass mount options directly to FUSE.
Example: -o allow_other,ro

-passfile
    Path to a file containing the password. Not recommended due to security concerns.

-ro
    Mount the filesystem in read-only mode.

-speedtest
    Run a speed test.

-staticcipherdir
    Use a static (non-random) directory ID, making the filesystem deterministic.

-wpanic
    Cause a kernel panic on write error.

plaintext_dir
    The directory where the decrypted files will be visible (the mount point).

ciphertext_dir
    The directory where the encrypted files are stored.

gocryptfs creates an encrypted overlay filesystem, meaning it stores your encrypted files in a separate directory from your plaintext files. This provides strong encryption (AES-256-GCM) while offering relatively easy setup and use. Unlike full-disk encryption, gocryptfs allows you to encrypt only specific directories, making it ideal for protecting sensitive data without encrypting the entire system.

It focuses on security and ease of use, employing modern cryptographic primitives and offering features like authenticated encryption, directory ID obfuscation, and filename encryption to protect your data from unauthorized access. The primary use case is the synchronization of sensitive data to untrusted storage, like cloud services.

gocryptfs is a single binary with no external dependencies beyond the standard library of your Go installation. It is available on Linux, macOS and Windows and should be considered stable.

Storing the password in a file (using `-passfile`) is highly discouraged due to security risks. The `-allow_other` option should be used with caution as it can weaken security. Backups of the ciphertext directory are crucial for data recovery in case of issues.

The `gocryptfs.conf` file stores the master key and other configuration options. It is created automatically when initializing the filesystem with the `-init` flag. It is crucial to protect this file as it contains the key needed to decrypt your data. Never share it.
Use command like: gocryptfs -init ciphertext_dir

To mount the encrypted directory, use the following command: gocryptfs [options] ciphertext_dir plaintext_dir. You will be prompted for the password or the external password command will be executed.
To unmount use fusermount -u plaintext_dir.

gocryptfs was created by Christian Starke in 2017. It was designed to provide a secure and user-friendly way to encrypt individual directories, addressing limitations of other encryption solutions. It aimed to simplify the encryption process and improve interoperability across platforms.

mount(8), umount(8), fusermount(1)