A graphic of a terminal window on a laptop.
Fatmawati Achmad Zaenuri/Shutterstock

Do you want to encrypt important files, but not your Linux system’s entire hard drive? If so, we recommend gocryptfs. You’ll get a directory that, essentially, encrypts and decrypts everything you store.

gocryptfs Offers Protection From Data Breaches

Privacy is big news. Hardly a week goes by without the announcement of a breach at one organization or another. Companies either report recent incidents or disclose breaches that happened some time ago. In both cases, it’s bad news for those whose data has been exposed.

Because millions of people use services like Dropbox, Google Drive, and Microsoft OneDrive, a seemingly never-ending stream of data is pushed to the cloud every day. If you store some (or all) of your data on the cloud, what can you do to protect classified information and private documents should a breach occur?

Data breaches come in all shapes and sizes, of course, and they’re not limited to the cloud. A lost memory stick or stolen laptop is just a data breach on a smaller scale. But the scale isn’t the critical factor. If the data is sensitive or confidential, someone else having it could be disastrous.

One solution is to encrypt your documents. Traditionally, this is done by encrypting your hard drive in its entirety. This is secure, but it also slightly slows down your computer. Plus, if you suffer a catastrophic failure, it can complicate the process of restoring your system from backups.

The gocryptfs system allows you to encrypt only the directories that need protection and avoid the system-wide overhead of encryption and decryption. It’s fast, lightweight, and easy to use. It’s also easy to move encrypted directories to other computers. As long as you have the password to access that data, it leaves no trace of your files on the other computer.

The gocryptfs system is constructed as a lightweight, encrypted file system. It’s also mountable by regular, non-root accounts because it uses the Filesystem in Userspace (FUSE) package. This acts as a bridge between gocryptfs and the kernel file-system routines it needs to access.

Installing gocryptfs

To install gocryptfs on ubuntu, type this command:

sudo apt-get install gocryptfs

sudo apt-get install gocryptfs in a terminal window.

To install it on Fedora type:

sudo dnf install gocryptfs

sudo dnf install gocryptfs in a terminal window

On Manjaro, the command is:

sudo pacman -Syu gocryptfs

sudo pacman -Syu gocryptfs in a terminal window

Creating an Encrypted Directory

Part of the glory of gocryptfs is how simple it is to use. The principles are:

  • Create a directory to contain the files and subdirectories you’re protecting.
  • Use gocryptrfs to initialize that directory.
  • Create an empty directory as a mount point, and then mount the encrypted directory onto it.
  • In the mount point, you can see and use the decrypted files and create new ones.
  • Unmount the encrypted folder when you’re done.

We’re going to create a directory called “vault” to hold the encrypted data. To do so, we type the following:

mkdir vault

mkdir vault in a terminal window.

We need to initialize our new directory. This step creates the gocryptfs file system within the directory:

gocryptfs -init vault

gocryptfs -init vault in a terminal window.

Type a password when you’re prompted; you’ll type it twice to ensure it’s correct. Choose a strong one: three unrelated words that include punctuation, digits, or symbols is a good template.

Your master key is generated and displayed. Copy and save this somewhere safe and private. In our example, we’re creating a gocryptfs directory on a research machine that’s wiped after each article is written.

As it’s necessary for an example, you can see the master key for this directory. You’ll definitely want to be much more secretive with yours. If someone obtains your master key, they can access al of your encrypted data.

If you change into the new directory, you’ll see two files have been created. Type the following:

cd vault
ls -ahl

cd vault in a terminal window.

The “gocryptfs.diriv” is a short binary file, while “gocryptfs.conf” contains settings and information you should keep safe.

If you upload your encrypted data to the cloud or back it up to small, transportable media, don’t include this file. If, however, you back up to local media that remains under your control, you can include this file.

With sufficient time and effort, it might be possible to extract your password from the “encrypted key” and “salt” entries, as shown below:

cat gocryptfs.conf

cat gocryptfs.conf in a terminal window.

Mounting the Encrypted Directory

The encrypted directory is mounted on a mount point, which is simply an empty directory. We’re going to create one called “geek”:

mkdir geek

We can now mount the encrypted directory on the mount point. Strictly speaking, what’s actually mounted is the gocryptfs file system inside the encrypted directory. We’re prompted for the password:

gocryptfs vault geek

When the encrypted directory is mounted, we can use the mount point directory the same as we would any other. Anything we edit and create in this directory is actually written to the mounted, encrypted directory.

We can create a simple text file, like the following:

touch secret-notes.txt

We can edit it, add some content to it, and then save the file:

gedit secret-notes.txt

Our new file has been created:

ls

mkdir geek in a terminal window.

If we switch into our encrypted directory, as shown below, we see a new file has been created with an encrypted name. You can’t even tell which file type it is from the name:

cd vault
ls -hl

cd vault in a terminal window.

If we try to view the contents of the encrypted file, we can see it’s truly scrambled:

less aJGzNoczahiSif_gwGl4eAUnwxo9CvOa6kcFf4xVgYU

less aJGzNoczahiSif_gwGl4eAUnwxo9CvOa6kcFf4xVgYU in a terminal window.

Our simple text file, shown below, is now anything but simple to decipher.

Contents of an encrypted text file in less in a terminal window.

Unmounting the Encrypted Directory

When you’re finished with your encrypted directory, you can unmount it with the fusermount command. Part of the FUSE package, the following command unmounts the gocryptfs file system inside the encrypted directory from the mount point:

fusermount -u geek

fusermount -u geek in a terminal window.

If you type the following to check your mount point directory, you’ll see it’s still empty:

ls

ls in a terminal window.

Everything you did is safely stored in the encrypted directory.

Simple and Secure

Simple systems have the advantage of being used more often, while more complicated processes tend to fall by the wayside. Using gocryptfs is not only simple, it’s also secure. Simplicity without security wouldn’t be worthwhile.

You can create as many encrypted directories as you need or just one to hold all of your sensitive data. You might also want to create a few aliases to mount and unmount your encrypted file system and simplify the process even more.

RELATED: How to Create Aliases and Shell Functions on Linux

Dave McKay Dave McKay
Dave McKay first used computers when punched paper tape was in vogue, and he has been programming ever since. After over 30 years in the IT industry, he is now a full-time technology journalist. During his career, he has worked as a freelance programmer, manager of an international software development team, an IT services project manager, and, most recently, as a Data Protection Officer. Dave is a Linux evangelist and open source advocate.
Read Full Bio »

The above article may contain affiliate links, which help support How-To Geek.