NAME

gocryptfs - mount an encrypted directory

SYNOPSIS

Initialize encrypted filesystem

gocryptfs -init [OPTIONS] CIPHERDIR

Mount

gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT

Change password

gocryptfs -passwd [OPTIONS] CIPHERDIR

DESCRIPTION

Options:

-allow_other: By default, the Linux kernel prevents any other user (even root) to access a mounted FUSE filesystem. Settings this option allows access for other users, subject to file permission checking. Only works if user_allow_other is set in /etc/fuse.conf. This option is equivalent to "allow_other" plus "default_permissions" described in fuse(8).
-config string: Use specified config file instead of CIPHERDIR/gocryptfs.conf
-cpuprofile string: Write cpu profile to specified file
-d, -debug: Enable debug output
-extpass string: Use an external program (like ssh-askpass) for the password prompt. The program should return the password on stdout, a trailing newline is stripped by gocryptfs. Using something like "cat /mypassword.txt" allows to mount the gocryptfs filesytem without user interaction.
-f: Stay in the foreground instead of forking away.
-fusedebug: Enable fuse library debug output
-init: Initialize encrypted directory
-longnames: Store names longer than 176 bytes in extra files (default true) This flag is useful when recovering old gocryptfs filesystems using "-masterkey". It is ignored (stays at the default) otherwise.
-masterkey string: Mount with explicit master key specified on the command line. This option can be used to mount a gocryptfs filesystem without a config file. Note that the command line, and with it the master key, is visible to anybody on the machine who can execute "ps -auxwww".
-memprofile string: Write memory profile to specified file. This is useful when debugging memory usage of gocryptfs.
-nosyslog: Diagnostic messages are normally redirected to syslog once gocryptfs daemonizes. This option disables the redirection and messages will continue be printed to stdout and stderr.
-notifypid int: Send USR1 to the specified process after successful mount. This is used internally for daemonization.
-openssl bool: Use OpenSSL instead of built-in Go crypto (default "auto"). Using built-in crypto is 4x slower unless your CPU has AES instructions and you are using Go 1.6+. In mode "auto", gocrypts chooses the faster option.
-passwd: Change password
-plaintextnames: Do not encrypt file names
-q, -quiet: Quiet - silence informational messages
-ro: Mount the filesystem read-only
-scryptn int: scrypt cost parameter logN. Setting this to a lower value speeds up mounting but makes the password susceptible to brute-force attacks (default 16)
-version: Print version and exit. The output contains three fields seperated by ";". Example: "gocryptfs v0.12-2; go-fuse a4c968c; go1.6.2". Field 1 is the gocryptfs version, field 2 is the version of the go-fuse library, field 3 is the Go version that was used to compile the binary.
-wpanic: When encountering a warning, panic and exit immediately. This is useful in regression testing.
-zerokey: Use all-zero dummy master key. This options is only intended for automated testing as it does not provide any security.

EXAMPLES

Create and mount an encrypted filesystem:

mkdir /tmp/g1 /tmp/g2

gocryptfs -init /tmp/g1
gocryptfs /tmp/g1 /tmp/g2

3.5 KiB Raw Blame History