- gocryptfs uses file-based encryption that is implemented as a mountable FUSE filesystem. Each file in gocryptfs is stored one corresponding encrypted file on the hard disk.
- The highlights are: Scrypt password hashing, GCM encryption for all file contents, EME wide-block encryption for file names with a per-directory IV.
See the gocryptfs project home for further introduction of its features, benchmarks, etc. See Data-at-rest encryption#Comparison table for an overview of alternative methods and EncFS for the direct alternative.
Install or AUR.
As a FUSE filesystem, gocryptfs is fully configurable by the user and stores its configuration files in the user's directory paths.
Seeand its examples first.
- To achieve its design goal of authenticated encryption, gocryptfs implements a AES-EME encryption mode (for filenames, the content is encrypted using standard libraries). While the EME mode is not widely used/audited yet, gocryptfs encryption modes bring integrity protection for the data.
- See the project's tracking bug report regarding findings of the first security audit for more information.
gocryptfs -speedto test throughput for available encryption modes. The automatic selection will choose the fastest mode available for the system.
- As a first-time user, check the gocryptfs best practices.
- Upon initialization of the cryptography for a directory, the master key is output before it is cryptographically wrapped in the
gocryptfs.conffile. See Recreate configuration using the masterkey for an emergency restore procedure.
-fido2option allows the convenience of U2F hardware tokens to initialize and mount the encrypted data. Be aware token features, for example PIN entry, cannot be toggled currently and can be different for token models.
Example using normal mode
cipher directory to store encrypted data, and
plain directory to access them decrypted. Then, run gocryptfs initialization to setup encryption.
$ mkdir cipher plain $ gocryptfs -init cipher Choose a password for protecting your files. Password: [...]
To open the encrypted directory
cipher and access it from
$ gocryptfs cipher plain Password: Decrypting master key Filesystem mounted and ready
You should now have a working gocryptfs that is stored in
cipher and mounted to
plain. You can verify this by creating a blank file in the
plain directory. This file will show up encrypted in the
$ touch plain/test.txt $ ls cipher gocryptfs.conf gocryptfs.diriv ZSuIZVzYDy5-TbhWKY-ciA==
Example using reverse mode
A major application for file-based encryption methods are encrypted backups. FUSE-based filesystems are flexible for this, since they allow a wide array of backup destinations using standard tools. For example, a gocryptfs-encrypted FUSE mount point can be easily created directly on a Samba/NFS share or Dropbox location, synchronized to a remote host with rsync, or just be manually copied to a remote backup storage.
gocryptfs.conffile is stored within the backup directory for convenience. If you upload the
gocryptfs.conffile to an online source, your backup can be decrypted if your password is known or cracked. Using a strong password will lower the chances of a successful attack.  You can choose to use a
gocryptfs.conffile from another location by providing the
-configoption along with the path to your configuration file.
The reverse mode of gocryptfs is particularly useful for creating encrypted backups, since it requires virtually no extra storage capacity on the machine to back up.
The following shows an example of user archie creating a backup of
First, archie initializes the configuration for the home directory:
$ gocryptfs -init -reverse /home/archie
Choose a password for protecting your files. Password: ...
Second, an empty directory for the encrypted view of the home directory is created and mounted:
$ mkdir /tmp/crypt $ gocryptfs -reverse /home/archie /tmp/crypt Password: Decrypting master key Your master key is: ... Filesystem mounted and ready. $
Third, archie creates a backup of the encrypted directory, a simple local copy for this example:
$ cp -a /tmp/crypt /tmp/backup
The encrypted directory can stay mounted for the user session, or be unmounted manually:
$ fusermount -u /tmp/crypt $ rmdir /tmp/crypt
To restore from the encrypted backup, a plain-text view is mounted using gocryptfs's normal mode:
$ mkdir /tmp/restore $ gocryptfs /tmp/backup/ /tmp/restore Password: Decrypting master key ... Filesystem mounted and ready. $
Now the required files can be restored.
There are a couple of applications available that provide a graphical user interface for gocryptfs.
A bash script gocryptfs-ui provides a simple GUI around the gocryptfs command line utility to mount and unmount an encrypted directory. It includes a desktop launcher. Install it from AUR.
A/ based application providing a GUI to create and mount encrypted directories. It can store configuration files with a list of encrypted directories, has tray-icon support and includes a desktop launcher. Install it from AUR.