Gocryptfs is a Filesystem in Userspace (FUSE)-mounted file-level encryption program. FUSE-mounted signifies that the encrypted information are saved in a single listing tree that’s mounted, like a USB key, utilizing the FUSE interface. This permits any person to do the mount—you do not have to be root. Because gocryptfs encrypts on the file stage, synchronization operations that duplicate your information can work effectively on every file. This contrasts with disk-level encryption, the place the entire disk is encrypted as a single, giant binary blob.
When you utilize gocryptfs in its regular mode, your information are saved in your disk in an encrypted format. However, whenever you mount the encrypted information, you get unencrypted entry to your information, similar to some other file in your pc. This means all of your common instruments and packages can use your unencrypted information. Changes, new information, and deletions are mirrored in real-time within the encrypted model of the information saved in your disk.
Install gocryptfs
Installing gocryptfs is straightforward on Fedora as a result of it’s packaged for Fedora 30 and Rawhide. Therefore, sudo dnf set up gocryptfs does all of the required set up work. If you are not utilizing Fedora, you could find particulars on putting in from supply, on Debian, or through Homebrew within the Quickstart.
Initialize your encrypted filesystem
To get began, it is advisable determine the place you wish to retailer your encrypted information. This instance will preserve the information in ~/.sekrit_files in order that they do not present up when doing a traditional ls.
Start by initializing the filesystem. This would require you to decide on a password. You are strongly inspired to make use of a novel password you have by no means used anyplace else, as that is your key to unlocking your information. The venture’s authors advocate a password with between 64 and 128 bits of entropy. Assuming you utilize higher and decrease case letters and numbers, this implies your password must be between 11 and 22 characters long. If you are utilizing a password supervisor, this must be straightforward to perform with a generated password.
When you initialize the filesystem, you will notice a novel key. Store this key someplace securely, as it’ll can help you entry your information if it is advisable get better your information however have forgotten your password. The key works with out your password, so preserve it non-public!
The initialization routine seems like this:
$ mkdir ~/.sekrit_files
$ gocryptfs -init ~/.sekrit_files
Choose a password for defending your information.
Password:
Repeat:Your grasp secret is:
XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-
XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXXIf the gocryptfs.conf file turns into corrupted otherwise you ever overlook your password,
there is just one hope for restoration: The grasp key. Print it to a bit of
paper and retailer it in a drawer. This message is just printed as soon as.
The gocryptfs filesystem has been created efficiently.
You can now mount it utilizing: gocryptfs .sekrit_files MOUNTPOINT
If you look within the ~/.sekrit_files listing, you will notice two information: a configuration file and a novel directory-level initialization vector. You is not going to have to edit these two information by hand. Make positive you don’t delete these information.
Use your encrypted filesystem
To use your encrypted filesystem, it is advisable mount it. This requires an empty listing the place you may mount the filesystem. For instance, use the ~/my_files listing. As you may see from the initialization, mounting is straightforward:
$ gocryptfs ~/.sekrit_files ~/my_files
Password:
Decrypting grasp key
Filesystem mounted and prepared.
If you try the ~/my_files listing, you may see it’s empty. The configuration and initialization vector information aren’t information, so they do not present up. Let’s put some information within the filesystem and see what occurs:
$ cp /usr/share/dict/phrases ~/my_files/
$ ls -la ~/my_files/ ~/.sekrit_files/
~/my_files/:
.rw-r--r-- 5.0M bexelbie 19 Jul 17:48 phrases~/.sekrit_files/:
.r--------@ 402 bexelbie 19 Jul 17:39 gocryptfs.conf
.r--------@ 16 bexelbie 19 Jul 17:39 gocryptfs.diriv
.rw-r--r--@ 5.0M bexelbie 19 Jul 17:48 xAQrtlyYSFeCN5w7O3-9zg
Notice that there’s a new file within the ~/.sekrit_files listing. This is the encrypted copy of the dictionary you copied in (the file identify will range). Feel free to make use of cat and different instruments to look at these information and experiment with including, deleting, and modifying information. Make positive to check with just a few functions, corresponding to LibreOffice.
Remember, this a filesystem mount, so the contents of ~/my_files aren’t saved to disk. You can confirm this by operating mount | grep my_files and observing the output. Only the encrypted information are written to your disk. The FUSE interface is doing real-time encryption and decryption of the information and presenting them to your functions and shell as a filesystem.
Unmount the filesystem
When you are completed along with your information, you may unmount them. This causes the unencrypted filesystem to not be obtainable. The encrypted information in ~/.sekrit_files are unaffected. Unmount the filesystem utilizing the FUSE mounter program with fusermount -u ~/my_files .
Back up your information
One of the cool advantages of gocryptfs utilizing file-level encryption is that it makes backing up your encrypted information simpler. The information are protected to retailer on a synchronizing system, corresponding to OwnCloud or Dropbox. The normal disclaimer about not modifying the identical file on the identical time applies. However, the information might be backed up even when they’re mounted. You may also save your information some other means you’ll sometimes again up information. You do not want something particular.
When you do backups, be certain that to incorporate the gocryptfs.diriv file. This file just isn’t a secret and might be saved with the backup. However, your gocryptfs.conf is a secret. When you management the whole lot of the backup chain, corresponding to with tape, you may again it up with the remainder of the information. However, when the information are backed as much as the cloud or publicly, it’s possible you’ll want to omit this file. In idea, if somebody will get this file, the one factor defending your information is the power of your password. If you may have chosen a strong password, which may be sufficient; nevertheless, it is advisable contemplate your state of affairs fastidiously. More particulars are on this gocryptfs upstream issue.
Bonus: Reverse mode
A neat function of gocryptfs is the reverse mode perform. In reverse mode, level gocryptfs at your unencrypted information, and it’ll create a mount level with an encrypted view of this information. This is helpful for issues corresponding to creating encrypted backups. This is straightforward to do:
$ gocryptfs -reverse -init my_files
Choose a password for defending your information.
Password:
Repeat:Your grasp secret is:
XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX-
XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXXIf the gocryptfs.conf file turns into corrupted otherwise you ever overlook your password,
there is just one hope for restoration: The grasp key. Print it to a bit of
paper and retailer it in a drawer. This message is just printed as soon as.
The gocryptfs-reverse filesystem has been created efficiently.
You can now mount it utilizing: gocryptfs -reverse my_files MOUNTPOINT$ gocryptfs -reverse my_files sekrit_files
Password:
Decrypting grasp key
Filesystem mounted and prepared.
Now sekrit_files accommodates an encrypted view of your unencrypted information from my_files. This might be backed up, shared, or dealt with as wanted. The listing is read-only, as there may be nothing helpful you are able to do with these information besides again them up.
A brand new file, .gocryptfs.reverse.conf, has been added to my_files to offer a steady encrypted view. This configuration file will make sure that every reverse mount will use the identical encryption key. This means you can, for instance, again up solely modified information.
Gocryptfs is a versatile file encryption device that permits you to retailer your information in an encrypted method with out altering your workflow or processes considerably. The design has undergone a safety audit, and the builders have expertise with different techniques, corresponding to encfs. I encourage you so as to add gocryptfs to your system at present and begin defending your information.