gocryptfs

Initialize an encrypted filesystem

$ gocryptfs -init [path/to/cipher_dir]

$ gocryptfs [path/to/cipher_dir] [path/to/mount_point]

$ gocryptfs --masterkey [path/to/cipher_dir] [path/to/mount_point]

$ gocryptfs --passwd [path/to/cipher_dir]

$ gocryptfs --reverse [path/to/plain_dir] [path/to/cipher_dir]

gocryptfs [OPTIONS] <ciphertext-directory> [<plaintext-mountpoint>]
gocryptfs -init [OPTIONS] <ciphertext-directory>
gocryptfs -fsck [OPTIONS] <ciphertext-directory>

<ciphertext-directory>
    The path to the directory where encrypted data will be stored or is already located. This directory holds the encrypted files and the gocryptfs.conf configuration.

<plaintext-mountpoint>
    The path to the directory where the decrypted contents will be accessible. This is the mount point for the gocryptfs filesystem. If omitted during a mount operation, gocryptfs will try to use the current directory as the mount point.

-init
    Initializes a new gocryptfs filesystem in the specified <ciphertext-directory>. This command prompts for a password and creates the necessary configuration files and directory structure.

-fsck
    Checks the integrity of a gocryptfs filesystem. It verifies the ciphertext files against their stored authentication tags to detect corruption or tampering.

-config <file>
    Specifies an alternative configuration file instead of the default gocryptfs.conf located within the <ciphertext-directory>.

-passwd
    Changes the password for an existing gocryptfs filesystem. You will be prompted for the old and new passwords.

-allow_other
    Allows other users to access the mounted filesystem. This is a FUSE option and typically requires user_allow_other to be set in /etc/fuse.conf.

-ro
    Mounts the filesystem in read-only mode. No changes can be made to the underlying encrypted data through this mount point.

-nonempty
    Allows mounting the filesystem on a directory that is not empty. Existing files or directories in the mountpoint will be hidden by the mounted filesystem until it is unmounted.

-fg
    Runs gocryptfs in the foreground. By default, it forks into the background after a successful mount. This option is useful for debugging or when running from a script that manages the lifecycle of the mount.

-reverse
    Mounts the filesystem in reverse mode. In this mode, the <ciphertext-directory> becomes the plaintext source, and the <plaintext-mountpoint> becomes the *encrypted view* of that source. Useful for encrypting data on the fly before syncing it to cloud storage.

-masterkey <key>
    Specifies the master key directly as a hexadecimal string. This bypasses the password prompt and can be used for automated mounting scenarios, though care must be taken with key exposure.

gocryptfs is a FUSE-based encrypted overlay filesystem written in Go. It allows users to encrypt a directory's contents and access them as a plaintext directory. All files, filenames, and symlink targets are encrypted and authenticated using modern cryptographic primitives like AES-GCM or AES-SIV. The primary goal of gocryptfs is to provide a simple, robust, and secure way to store confidential data in untrusted locations, such as cloud storage services or shared drives. It supports various modes including forward mode (encrypting data as it's written) and reverse mode (creating an encrypted view of an existing plaintext directory), making it versatile for different use cases. It aims for high performance and strong cryptographic guarantees while maintaining a straightforward design.

Performance overhead: While optimized, encryption and decryption operations inherently introduce some CPU and I/O overhead.
Metadata leakage: Although file contents and names are encrypted, some metadata like directory structure, number of files, file modification times, and approximate file sizes (block-aligned) might be discernible.
No hard links across boundary: Hard links are not supported across the encryption boundary (i.e., between plaintext and ciphertext views).
FUSE dependency: gocryptfs relies on the FUSE (Filesystem in Userspace) kernel module and user-space libraries, which must be installed and properly configured.
Improper unmount: Forcibly unmounting (e.g., due to system crash or power loss) can potentially leave the filesystem in a dirty state, requiring fsck to verify and repair integrity.

The -reverse option is a powerful and unique feature of gocryptfs. Unlike the standard forward mode where you put encrypted data into the <ciphertext-directory> to view it as plaintext at the <plaintext-mountpoint>, reverse mode flips this. In reverse mode, your <ciphertext-directory> becomes the source of *plaintext* data, and the <plaintext-mountpoint> becomes an *encrypted view* of that data. This is extremely useful for backing up or syncing existing directories (e.g., your 'Documents' folder) to cloud storage, as your original plaintext data remains untouched in its location, while the cloud service only receives the encrypted representation.

gocryptfs was initially developed by Arnau Sanchez and first released around 2016. It was conceived as a modern, Go-language alternative to older encrypted filesystem solutions like encfs, aiming for a simpler, more auditable codebase and leveraging up-to-date cryptographic primitives (such as authenticated encryption modes). Its development focused on providing a secure and performant encrypted overlay filesystem that is easy to use and deploy, particularly for scenarios involving cloud synchronization where data privacy is paramount.

mount(8), fusermount(1), cryptsetup(8), encfs(1), ecryptfs-migrate-home(8)