gocryptfs cheat sheet

Gocryptfs is a tool for file and directory encryption tool available on Linux distributions. Two advantages with gocryptfs over encryption offerings includes the ability to run without admin access, and reverse encryption mode (ideal for backing up files to cloud-based services). I explore installation and basic usage.


On Debian-based systems, gocryptfs is available in official repositories.

$ sudo apt update && sudo apt install gocryptfs

Other distributions should check their repositories.

Alternatively, precompiled binaries can be downloaded from Github, or it can be compiled from source.

Instructions below will assume Debian-based systems, and assume that they are installed from official repositories. I’m also going to assume simple use cases. For more detailed use cases, read the manual.

Creating an encrypted folder

Assume that encrypted is the name of the folder in its encrypted state, and decrypted is in the decrypted state.

Using permanent folder. This assumes that both folders do not yet exist

$ mkdir encrypted decrypted
$ gocryptfs -init encrypted
$ gocryptfs encrypted decrypted

To unmount your encrypted folder:

$ fusermount -u decrypted
$ rmdir decrypted

It is a good security practice to remove the decrypted folder when completed.

A better security practice is to use a temporary folder. That way once the user is logged out, the folder automatically poofs.

$ mkdir encrypted /tmp/decrypted
$ gocryptfs -init encrypted
$ gocryptfs encrypted /tmp/decrypted

Creating a reverse-encrypted folder

This allows turning an existing non-encrypted folder into a temporary encrypted folder. Assume that decrypted refers to the existing folder, and encrypted refers to the encrypted folder.

$ mkdir encrypted
$ gocryptfs -init -reverse decrypted
$ gocryptfs -reverse decrypted encrypted

Other useful flags

### Example
$ gocryptfs -allow_other encrypted decrypted

Allows other users to view the decrypted folder. By default only the user creating the decrypted folder can view it.

### Example
$ gocryptfs -nonempty encrypted-Documents Documents

Allows mounting to a non-empty folder. This is generally not a good practice.

### Example
$ gocryptfs -passwd encrypted

Allows changing the password of a mounted folder

### Example
$ gocryptfs -ro encrypted decrypted

Mounts a decrypted folder as read only.

Other miscellaneous commands

Display the list of mounted gocryptfs folders

$ mount | grep gocryptfs
###sample output
/home/matthew/encrypted on /home/matthew/decrypted type fuse.gocryptfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)