gocryptfs
Encrypt files using a directory filesystem
TLDR
Initialize an encrypted filesystem
Mount an encrypted filesystem
Mount with the explicit master key instead of password
Change the password
Make an encrypted snapshot of a plain directory
SYNOPSIS
gocryptfs [options] plaintext_dir ciphertext_dir
PARAMETERS
-allow_other
Allow other users to access the decrypted files. Use with caution as it can weaken security.
-aessiv
Use AES-SIV for file encryption. This is deprecated due to potential security vulnerabilities. Avoid using.
-config
Path to the gocryptfs.conf file. Defaults to ciphertext_dir/gocryptfs.conf.
-diriv_per_file
Derive the IV from the file name and file content. This is the default setting since v2.1.
-extpass
External password command. Runs the specified command and uses its output as the password. Example: '-extpass "/usr/bin/pass mysecret"'.
-fido2
Use a FIDO2 token for password storage and authentication.
-fsck
Run in filesystem check mode. Checks the integrity of the ciphertext directory.
-init
Initialize a new gocryptfs filesystem in the ciphertext directory. This will prompt you to create a password.
-notifystack
Send all notifications to a specific stack in notify-send (only relevant when using `-wpanic`).
-o
Pass mount options directly to FUSE.
Example: -o allow_other,ro
-passfile
Path to a file containing the password. Not recommended due to security concerns.
-ro
Mount the filesystem in read-only mode.
-speedtest
Run a speed test.
-staticcipherdir
Use a static (non-random) directory ID, making the filesystem deterministic.
-wpanic
Cause a kernel panic on write error.
plaintext_dir
The directory where the decrypted files will be visible (the mount point).
ciphertext_dir
The directory where the encrypted files are stored.
DESCRIPTION
gocryptfs creates an encrypted overlay filesystem, meaning it stores your encrypted files in a separate directory from your plaintext files. This provides strong encryption (AES-256-GCM) while offering relatively easy setup and use. Unlike full-disk encryption, gocryptfs allows you to encrypt only specific directories, making it ideal for protecting sensitive data without encrypting the entire system.
It focuses on security and ease of use, employing modern cryptographic primitives and offering features like authenticated encryption, directory ID obfuscation, and filename encryption to protect your data from unauthorized access. The primary use case is the synchronization of sensitive data to untrusted storage, like cloud services.
gocryptfs is a single binary with no external dependencies beyond the standard library of your Go installation. It is available on Linux, macOS and Windows and should be considered stable.
CAVEATS
Storing the password in a file (using `-passfile`) is highly discouraged due to security risks. The `-allow_other` option should be used with caution as it can weaken security. Backups of the ciphertext directory are crucial for data recovery in case of issues.
CONFIGURATION FILE
The `gocryptfs.conf` file stores the master key and other configuration options. It is created automatically when initializing the filesystem with the `-init` flag. It is crucial to protect this file as it contains the key needed to decrypt your data. Never share it.
Use command like: gocryptfs -init ciphertext_dir
MOUNTING
To mount the encrypted directory, use the following command: gocryptfs [options] ciphertext_dir plaintext_dir
. You will be prompted for the password or the external password command will be executed.
To unmount use fusermount -u plaintext_dir
.
HISTORY
gocryptfs was created by Christian Starke in 2017. It was designed to provide a secure and user-friendly way to encrypt individual directories, addressing limitations of other encryption solutions. It aimed to simplify the encryption process and improve interoperability across platforms.
SEE ALSO
mount(8), umount(8), fusermount(1)