Re-design of the original gocryptfs code to work as a library.
Go to file
Jakob Unterwurzacher 7e92ebe16a Rename nametransform, contentenc source files
Let's have shorter names, and merge *_api.go into the "main"

No code changes.
2016-06-16 19:02:47 +02:00
Documentation Add performance numbers for v0.11 2016-06-08 00:32:40 +02:00
internal Rename nametransform, contentenc source files 2016-06-16 19:02:47 +02:00
tests readpassword: create internal package for password reading 2016-06-15 22:44:24 +02:00
.drone.yml Add CI config 2015-11-22 21:07:38 +01:00
.gitignore package.bash: Encode host distribution into tar filename 2016-01-09 15:47:29 +01:00
.travis.yml stupidgcm: fix copy-paste error in panic message 2016-05-04 20:15:11 +02:00
LICENSE Add MIT LICENSE 2015-10-11 23:15:03 +02:00 README: fix v0.11 release date 2016-06-10 09:54:35 +02:00 Update TODO file 2016-06-07 00:11:04 +02:00
benchmark-synthetic.bash tests: split example_filesystems into its own package 2016-06-07 00:08:56 +02:00
benchmark.bash Show new benchmark.bash in README 2016-01-23 20:18:13 +01:00
build.bash build.bash: fail early if the go binary does not exist 2016-06-14 22:56:28 +02:00
checkdir.go Refactor cli argument handling 2015-11-14 21:25:10 +01:00
daemonize.go Rename internal "toggledlog" package to "tlog" 2016-06-15 23:30:44 +02:00
main.go Rename internal "toggledlog" package to "tlog" 2016-06-15 23:30:44 +02:00
masterkey.go Rename internal "toggledlog" package to "tlog" 2016-06-15 23:30:44 +02:00
package.bash package.bash: Encode host distribution into tar filename 2016-01-09 15:47:29 +01:00
sendusr1.go Rename internal "toggledlog" package to "tlog" 2016-06-15 23:30:44 +02:00
test.bash Fix "go tool vet -shadow=true" warnings 2016-04-10 21:31:15 +02:00

gocryptfs Build Status MIT License

An encrypted overlay filesystem written in Go. Official website:

gocryptfs is built on top the excellent go-fuse FUSE library and its LoopbackFileSystem API.

This project was inspired by EncFS and strives to fix its security issues while providing good performance (benchmarks).

For details on the security of gocryptfs see the Security design document.

All tags from v0.4 onward are signed by the gocryptfs signing key. Please check Signed Releases for details.

Current Status

gocryptfs is a young project. While bugs in any software can cause issues, bugs in encryption software can cause catastrophic data loss. Keep a backup of your gocryptfs filesystem and store a copy of your master key (printed on mount) in a safe place. See below for how gocryptfs is tested.

Only Linux is supported at the moment. Help wanted for a Mac OS X port.


gocryptfs comes with is own test suite that is constantly expanded as features are added. Run it using ./test.bash. It takes about 1 minute and requires FUSE as it mounts several test filesystems.

The stress_tests directory contains stress tests that run indefinitely.

In addition, I have ported xfstests to FUSE, the result is the fuse-xfstests project. gocryptfs passes the "generic" tests with one exception, results:

A lot of work has gone into this. The testing has found bugs in gocryptfs as well as in the go-fuse library.


$ go get


$ mkdir cipher plain
$ $GOPATH/bin/gocryptfs -init cipher
$ $GOPATH/bin/gocryptfs cipher plain

See the Quickstart page for more info.

The containes a description of available command-line options. If you already have gocryptfs installed, run ./MANPAGE-render.bash to bring up the rendered manpage in your man pager (requires pandoc).

Storage Overhead

  • Empty files take 0 bytes on disk
  • 18 byte file header for non-empty files (2 bytes version, 16 bytes random file id)
  • 28 bytes of storage overhead per 4kB block (12 byte nonce, 16 bytes auth tag) contains a more detailed description.


Since version 0.7.2, gocryptfs is as fast as EncFS in the default mode, and significantly faster than EncFS' "paranoia" mode that provides a security level comparable to gocryptfs.

gocryptfs uses OpenSSL through a thin wrapper called stupidgcm. This provides a 4x speedup compared to Go's builtin AES-GCM implementation - see for details. The use of openssl can disabled on the command-line.

Run ./benchmark.bash to run gocryptfs' canonical set of benchmarks that include streaming write, extracting a linux kernel tarball, recursively listing and finally deleting it. The output will look like this:

$ ./benchmark.bash
linux-3.0.tar.gz       100%[==========================>]  92,20M  2,96MB/s    in 35s
2016-05-04 19:29:20 URL:
WRITE: 131072000 bytes (131 MB) copied, 1,43137 s, 91,6 MB/s
UNTAR: 23.25
LS:    1.75
RM:    4.42


v0.11, 2016-06-10

  • Deprecate filesystems created by v0.6 and older
  • Filesystems can still be mounted but a warning is printed
  • See for details and join the discussion
  • Add rsync stress test "pingpong-rsync.bash" ** Fix chown and utimens failures that caused rsync to complain
  • Build release binaries with Go 1.6.2 ** Big speedup for CPUs with AES-NI, see #23)

v0.10, 2016-05-30

  • Replace spacemonkeygo/openssl with stupidgcm
  • gocryptfs now has its own thin wrapper to OpenSSL's GCM implementation called stupidgcm.
  • This should fix the compile issues people are seeing with spacemonkeygo/openssl. It also gets us a 20% performance boost for streaming writes.
  • Automatically choose between OpenSSL and Go crypto issue #23
  • Go 1.6 added an optimized GCM implementation in amd64 assembly that uses AES-NI. This is faster than OpenSSL and is used if available. In all other cases OpenSSL is much faster and is used instead.
  • -openssl=auto is the new default
  • Passing -openssl=true/false overrides the autodetection.
  • Warn but continue anyway if fallocate(2) is not supported by the underlying filesystem, see issue #22
  • Enables to use gocryptfs on ZFS and ext3, albeit with reduced out-of-space safety.
  • Fix statfs, by @lxp
  • Fix a fsstress failure in the go-fuse library.

v0.9, 2016-04-10

  • Long file name support
  • gocryptfs now supports file names up to 255 characters.
  • This is a forwards-compatible change. gocryptfs v0.9 can mount filesystems created by earlier versions but not the other way round.
  • Refactor gocryptfs into multiple "internal" packages
  • New command-line options:
  • -longnames: Enable long file name support (default true)
  • -nosyslog: Print messages to stdout and stderr instead of syslog (default false)
  • -wpanic: Make warning messages fatal (used for testing)
  • -d: Alias for -debug
  • -q: Alias for -quiet

v0.8, 2016-01-23

  • Redirect output to syslog when running in the background
  • New command-line option:
  • -memprofile: Write a memory allocation debugging profile the specified file

v0.7.2, 2016-01-19

  • Fix performance issue in small file creation
  • This brings performance on-par with EncFS paranoia mode, with streaming writes significantly faster
  • The actual fix is in the go-fuse library. There are no code changes in gocryptfs.

v0.7.1, 2016-01-09

  • Make the build.bash script compatible with Go 1.3
  • Disable fallocate on OSX (system call not availabe)
  • Introduce pre-built binaries for Fedora 23 and Debian 8

v0.7, 2015-12-20

  • Extend GCM IV size to 128 bit from Go's default of 96 bit
  • This pushes back the birthday bound to make IV collisions virtually impossible
  • This is a forwards-compatible change. gocryptfs v0.7 can mount filesystems created by earlier versions but not the other way round.
  • New command-line option:
  • -gcmiv128: Use 128-bit GCM IVs (default true)

v0.6, 2015-12-08

  • Wide-block filename encryption using EME + DirIV
  • EME (ECB-Mix-ECB) provides even better security than CBC as it fixes the prefix leak. The used Go EME implementation is which is, as far as I know, the first implementation of EME in Go.
  • This is a forwards-compatible change. gocryptfs v0.6 can mount filesystems created by earlier versions but not the other way round.
  • New command-line option:
  • -emenames: Enable EME filename encryption (default true)

v0.5.1, 2015-12-06

  • Fix a rename regression caused by DirIV and add test case
  • Use fallocate to guard against out-of-space errors

v0.5, 2015-12-04

  • Stronger filename encryption: DirIV
  • Each directory gets a random 128 bit file name IV on creation, stored in gocryptfs.diriv
  • This makes it impossible to identify identically-named files across directories
  • A single-entry IV cache brings the performance cost of DirIV close to zero for common operations (see performance.txt)
  • This is a forwards-compatible change. gocryptfs v0.5 can mount filesystems created by earlier versions but not the other way round.
  • New command-line option:
  • -diriv: Use the new per-directory IV file name encryption (default true)
  • -scryptn: allows to set the scrypt cost parameter N. This option can be used for faster mounting at the cost of lower brute-force resistance. It was mainly added to speed up the automated tests.

v0.4, 2015-11-15

  • New command-line options:
  • -plaintextnames: disables filename encryption, added on user request
  • -extpass: calls an external program for prompting for the password
  • -config: allows to specify a custom gocryptfs.conf path
  • Add FeatureFlags gocryptfs.conf paramter
  • This is a config format change, hence the on-disk format is incremented
  • Used for ext4-style filesystem feature flags. This should help avoid future format changes. The first user is -plaintextnames.
  • On-disk format 2

v0.3, 2015-11-01

  • Add a random 128 bit file header to authenticate file->block ownership
  • This is an on-disk-format change
  • On-disk format 1

v0.2, 2015-10-11

  • Replace bash daemonization wrapper with native Go implementation
  • Better user feedback on mount failures

v0.1, 2015-10-07

  • First release
  • On-disk format 0