If you have sensitive data concentrated in single folder like plain text files with some important data or files that needs to be visible only after decrypted GoCryptFS is a very elegant way to be able to both have the data encrypted but be able to access it at times with a password.
gocryptfs – simple. secure. fast encryption.
gocryptfs uses file-based encryption that is implemented as a mountable FUSE filesystem. Each file in gocryptfs is stored one corresponding encrypted file on the hard disk. The screenshot below shows a mounted gocryptfs filesystem (left) and the encrypted files (right).
The encrypted files can be stored in any folder on your hard disk, a USB stick or even inside the Dropbox folder. One advantage of file-based encryption as opposed to disk encryption is that encrypted files can be synchronised efficiently using standard tools like Dropbox or rsync. Also, the size of the encrypted filesystem is dynamic and only limited by the available disk space.
To use gocryptfs to encrypt a directory on Linux (or macOS), follow these steps. gocryptfs is a FUSE-based encrypted file system that encrypts files on-the-fly and presents a decrypted view when mounted.
Step-by-step: Encrypting a Directory with gocryptfs
# apt-cache show gocryptfs
Package: gocryptfs
Version: 2.3.1-1
Priority: optional
Section: utils
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Architecture: amd64
Depends: libc6 (>= 2.34)
Description-en: Encrypted overlay filesystem written in Go
gocryptfs implements an encrypted overlay filesystem that is similar
to EncFS, but uses FUSE and Go. Encryption is done per-file, and directory
structure is preserved. This allows incremental backups and deduplication.
Homepage: https://github.com/rfjakob/gocryptfs
1. Install gocryptfs
- On Debian/Ubuntu:
# apt install gocryptfs
- On Arch Linux:
# pacman -S gocryptfs
- On macOS (install via Homebrew tool):
# brew install gocryptfs
2. Create Two Directories
- One for the encrypted data (encrypted_dir)
- One to mount the decrypted view (decrypted_mountpoint)
# mkdir ~/encrypted_dir mkdir ~/decrypted_mountpoint
3. Initialize Encrypted Directory
This sets up the encryption config:
# gocryptfs -init ~/encrypted_dir
You will be prompted to create a password. This is needed to mount/decrypt the filesystem.
4. Mount the Encrypted Directory
Now mount the encrypted directory into the decrypted mount point:
# gocryptfs ~/encrypted_dir ~/decrypted_mountpoint
It will ask for the password you created during initialization.
An ls of the directory would look unencrypted like so:
# ls -1 /encrypted_dir/
├── notes.txt
├── photo.jpg
└── projects/
└── report.docx
5. Use the Decrypted View
Now anything you put inside ~/decrypted_mountpoint is automatically encrypted and stored in ~/encrypted_dir. For example:
# echo "secret" > ~/decrypted_mountpoint/secret.txt
You'll see secret.txt encrypted in ~/encrypted_dir as a file with a scrambled name.
6. Unmount When Done
When finished seeing the data or adding new data into the mounted directrory,
to unmount the decrypted view:
On Linux
# fusermount -u ~/decrypted_mountpoint
or
On macOS or alternative other Unix compatible OS like Free OpenBSD
# umount ~/decrypted_mountpoint
# ls -1 /decrypted_dir/
├── gocryptfs.conf
├── 2YI8IfnpP6qThZUE1Mo-YA
├── 8o8TUS3LgI6K0WZjaPAjkg
└── WmJyYmAKoLJINkWyXr3UAw/
7. AutoMount on boot
To automount on boot or login, consider using systemd or a shell script with your password securely managed.
To mount / unmount encrypted directory you can create a tiny shell script like this:
# cd /usr/local/bin/
# cat mount_crypted.sh
#!/bin/bash
gocryptfs /directory/encrypted/info /directory/encrypted/info-decrypted/
cd /directory/encrypted/info-decrypted/
8. Use Case Example for gocryptfs -reverse
You can use gocryptfs -reverse to create a read-only encrypted mirror of an existing plaintext folder.
Lets say You have this:
/home/user/documents/ ← your plaintext files
You want to create an encrypted view of it at:
/mnt/encrypted_view/
First, create a gocryptfs config:
This can be anywhere, just not inside your plaintext folder.
mkdir ~/.gocryptfs-reverse-config gocryptfs -init ~/.gocryptfs-reverse-config
Mount in reverse mode:
# gocryptfs -reverse -config ~/.gocryptfs-reverse-config/gocryptfs.conf /home/user/documents /mnt/encrypted_view
Now
/mnt/encrypted_view
contains encrypted versions of your documents.
!!! You must not edit or write to
/mnt/encrypted_view
– it's read-only. !!!
9. Create Archive or Sync Backup
For example, make a secure encrypted backup:
rsync -avz /mnt/encrypted_view/ /backup/encrypted/
Or upload to cloud storage (Dropbox, Google Drive, etc.).
- Decrypt later on another machine:
Mount the encrypted copy in normal mode:
# gocryptfs /backup/encrypted/ /mnt/decrypted_view
You'll be prompted for the password used when creating the config.
10. Few more Tips
You can also mount with
-ko allow_other
if you want other users to see the encrypted view.
To avoid storing the password, use
–passfile FILE
or integrate with
gopass
10. Use gocryptfs cppcryptfs (native Windows port)
To use on Windows there are different ways to make gocryptfs work on windows:
- Option 1: Use gocryptfs via WinFsp + Cygwin or WSL
- Option 2: Use gocryptfs with WSL (Windows Subsystem for Linux)
- Option 3 (recommended) one – use the native cppcryptfs
Just download the app and install it as any normal Windows app and you're done:
cppcryptfs
- It's a native Windows version of gocryptfs
- 100% compatible with gocryptfs (same encryption format)
- Supports drag-and-drop, File Explorer, etc.
- No need for WSL or Cygwin
For more details on how gocryptfs works and how to install it on multiple platforms check out the original site https://nuetzlich.net/gocryptfs/
