Encrypted overlay filesystem written in Go


gocryptfs Build Status MIT License Go Report Card Latest release Homebrew version

An encrypted overlay filesystem written in Go. Official website: https://nuetzlich.net/gocryptfs (markdown source).

Folders side-by-side animation

gocryptfs is built on top the excellent go-fuse FUSE library. This project was inspired by EncFS and strives to fix its security issues while providing good performance (benchmarks). For details on the security of gocryptfs see the Security design document.

All tags from v0.4 onward are signed by the gocryptfs signing key. Please check Signed Releases for details.

Current Status

gocryptfs has reached version 1.0 on July 17, 2016. It has gone through hours and hours of stress (fsstress, extractloop.bash) and correctness testing (xfstests). It is now considered ready for general consumption.

The old principle still applies: Important data should have a backup. Also, keep a copy of your master key (printed on mount) in a safe place. This allows you to access the data even if the gocryptfs.conf config file is damaged or you lose the password.

The security of gocryptfs has been audited in March 3, 2017. The audit is available here (defuse.ca).


Linux is gocryptfs' native platform.

Beta-quality Mac OS X support is available, which means most things work fine but you may hit an occasional problem. Check out ticket #15 for the history of Mac OS X support but please create a new ticket if you hit a problem.

For Windows, an independent C++ reimplementation can be found here: cppcryptfs

A standalone Python tool that can decrypt files & file names is here: gocryptfs-inspect


Precompiled binaries that work on all x86_64 Linux systems are available for download from the github releases page.

On Debian, gocryptfs is available as a deb package:

apt install gocryptfs

On Mac OS X, gocryptfs is available as a Homebrew formula:

brew install gocryptfs

On Fedora, gocryptfs is available as an rpm package:

sudo dnf install gocryptfs

If you use the standalone binary, make sure you install the fuse package from your distributions package repository before running gocryptfs.

See the Quickstart page for more info.


gocryptfs comes with is own test suite that is constantly expanded as features are added. Run it using ./test.bash. It takes about 1 minute and requires FUSE as it mounts several test filesystems.

The stress_tests directory contains stress tests that run indefinitely.

In addition, I have ported xfstests to FUSE, the result is the fuse-xfstests project. gocryptfs passes the "generic" tests with one exception, results: XFSTESTS.md

A lot of work has gone into this. The testing has found bugs in gocryptfs as well as in the go-fuse library.


With go 1.11 or higher:

$ git clone https://github.com/rfjakob/gocryptfs.git
$ cd gocryptfs
$ ./build.bash

build.bash needs the OpenSSL headers installed (Debian: apt install libssl-dev, Fedora: dnf install openssl-devel). Alternatively, you can compile without OpenSSL using

$ ./build-without-openssl.bash


$ mkdir cipher plain
$ ./gocryptfs -init cipher
$ ./gocryptfs cipher plain

See the Quickstart page for more info.

The MANPAGE.md describes all available command-line options.

Use: Reverse Mode

$ mkdir cipher plain
$ ./gocryptfs -reverse -init plain
$ ./gocryptfs -reverse plain cipher

Graphical Interface

The SiriKali project supports gocryptfs and runs on Linux and OSX.

cppcryptfs on Windows provides its own GUI.

Stable CLI ABI

If you want to call gocryptfs from your app or script, see CLI_ABI.md for the official stable ABI. This ABI is regression-tested by the test suite.

Storage Overhead

  • Empty files take 0 bytes on disk
  • 18 byte file header for non-empty files (2 bytes version, 16 bytes random file id)
  • 32 bytes of storage overhead per 4kB block (16 byte nonce, 16 bytes auth tag)

file-format.md contains a more detailed description.


Since version 0.7.2, gocryptfs is as fast as EncFS in the default mode, and significantly faster than EncFS' "paranoia" mode that provides a security level comparable to gocryptfs.

On CPUs without AES-NI, gocryptfs uses OpenSSL through a thin wrapper called stupidgcm. This provides a 4x speedup compared to Go's builtin AES-GCM implementation. See CPU-Benchmarks for details, or run gocryptfs -speed to see the encryption performance of your CPU. Example for a CPU without AES-NI:

$ ./gocryptfs -speed
AES-GCM-256-OpenSSL    165.67 MB/s  (selected in auto mode)
AES-GCM-256-Go          49.62 MB/s
AES-SIV-512-Go          39.98 MB/s

You can run ./benchmark.bash to run gocryptfs' canonical set of benchmarks that include streaming write, extracting a linux kernel tarball, recursively listing and finally deleting it. The output will look like this:

$ ./benchmark.bash
Testing gocryptfs at /tmp/benchmark.bash.DwL: gocryptfs v1.6; go-fuse v20170619-45-g95c6370; 2018-08-18 go1.10.3
WRITE: 262144000 bytes (262 MB, 250 MiB) copied, 1.1033 s, 238 MB/s
READ:  262144000 bytes (262 MB, 250 MiB) copied, 0.945291 s, 277 MB/s
UNTAR: 17.768
MD5:   8.459
LS:    1.460
RM:    3.379


vNEXT, in progress

  • MANPAGE: Split options into sections acc. to where they apply (#517)
  • -idle: count cwd inside the mount as busy (#533)
  • Make gocryptfs.diriv and gocryptfs.xxx.name files world-readable to make encrypted backups easier when mounting via /etc/fstab (#539)
  • Make it work with MacFUSE v4.x (#524)
  • Disable ACL encryption, it causes a lot of problems (#543, #536)
    • Old encrypted ACLs are reported by gocryptfs -fsck but otherwise ignored
    • This fixes inheritance, but does not yet enforce them correctly

v2.0-beta2, 2020-11-14

v2.0-beta1, 2020-10-15

  • Switch to the improved go-fuse v2 API
    • This is a big change, a lot of code has been reorganized or rewritten to fit the v2 API model.
    • Please test & report bugs
    • No changes to the on-disk format
    • File descriptor caching is not yet implemented, causing a slowdown. Caching will be implemented for v2.0 final.
  • Add support for FIDO2 tokens (-fido2, #505)
  • Add -encrypt-paths / -decrypt-paths functionality to gocryptfs-xray (#416)
  • Accept multiple -passfiles (#288)
  • Make -masterkey=stdin work together with -passwd (#461)
  • Fix Unknown opcode 2016 crash on Google Cloud (go-fuse #276, gocryptfs commit ec74d1d)

v1.8.0, 2020-05-09

  • Enable ACL support (#453)
    • Warning 2021-02-07: This feature is incomplete! Do not use ACLs before gocryptfs v2.0 final! Reading and writing ACLs works, but they are not enforced or inherited (#542)
  • Ignore .nfsXXX temporary files (#367)
  • Handle inode number collisions from multiple devices (#435)
  • Drop -nonempty for fusermount3 (#440)
  • Reverse mode: improve inode number mapping and max=1000000000000000000 limitation (#457)
  • Enable --buildmode=pie (#460)
  • Migrate from dep to Go Modules (commit cad711993)
  • go mod: update dependencies (commit b23f77c)
  • gocryptfs -speed: add XChaCha20-Poly1305-Go (#452)
  • Respect GOMAXPROCS environment variable (commit ff210a06f
  • Completely remove Trezor-related code (commit 1364b44ae356da31e24e5605fe73a307e9d6fb03)
    • Has been disabled since v1.7 due to issues a third-party module.
    • Please use FIDO2 instead (gocryptfs v2.0)

v1.7.1, 2019-10-06

  • Support wild cards in reverse mode via --exclude-wildcard (#367). Thanks @ekalin!
  • Create gocryptfs.diriv files with 0440 permissions to make it easier to share an encrypted folder via a network drive (#387). Note: as a security precaution, the owner must still manually chmod gocryptfs.conf 0440 to allow mounting.
  • Allow the nofail option in /etc/fstab
  • -passwd can now change the -scryptn parameter for existing filesystems (#400)
  • Fix -idle unmounting the filesystem despite recent activity (#421)
  • Fix a race condition related to inode number reuse (#363). It could be triggered by concurrently creating and deleting files and can lead to data loss in the affected file. This bug was found by the automated tests on Travis and was very hard to trigger locally.
  • tests: use /var/tmp instead of /tmp by default (commit 8c4429)

v1.7, 2019-03-17

  • Fix possible symlink race attacks in forward mode when using allow_other + plaintextnames
    • If you use both -allow_other and -plaintextnames, you should upgrade. Malicious users could trick gocryptfs into modifying files outside of CIPHERDIR, or reading files inside CIPHERDIR that they should not have access to.
    • If you do not use -plaintextnames (disabled per default), these attacks do not work as symlinks are encrypted.
    • Forward mode has been reworked to use the "*at" family of system calls everywhere (Openat/Unlinkat/Symlinkat/...).
    • As a result, gocryptfs may run slightly slower, as the caching logic has been replaced and is very simple at the moment.
    • The possibility for such attacks was found during an internal code review.
  • Reverse mode: fix excluded, unaccessible files showing up in directory listings (#285, #286)
  • gocryptfs-xray: add -aessiv flag for correctly parsing AES-SIV format files (#299)
  • Ensure that standard fds 0,1,2 are always initialized (#320). Prevents trouble in the unlikely case that gocryptfs is called with stdin,stdout and/or stderr closed.
  • -extpass now can be specified multiple times to support arguments containing spaces (#289)
  • Drop Fstatat, Mkdirat, Syslinkat, Fchownat, Unlinkat, Renameat, Openat emulation of MacOS and instead use native functions (thanks @slackner !)
  • Use Setreuid to robustly set the owner with allow_other (@slackner, (commit))
  • Pack the rendered man page into the source code archive for user convenience (issue 355)
  • Disable Trezor support again (commit 16fac26c57ba303bf60266d24c17f5243e5ea376)
    • Trezor support has been broken since Sept 2018 due to issues in a third-party module (#261)

v1.6.1, 2018-12-12

  • Fix "Operation not supported" chmod errors on Go 1.11 (#271)

v1.6, 2018-08-18

  • Add -e / -exclude option for reverse mode (#235, commit)
  • Add support for the Trezor One HSM PR#247, thanks @xaionaro!
    • Use ./build.bash -tags enable_trezor to compile with Trezor support
    • Then, use gocryptfs -init -trezor to create a filesystem locked with a physical Trezor device.
    • Note 2021-01-31: Support was removed again in gocryptfs v1.7. Please use -fido2 in gocryptfs v2.0.
  • Only print master key once, on init (#76, commit)
  • Fall back to buffered IO even when passed O_DIRECT (commit)

v1.5, 2018-06-12

  • Support extended attributes (xattr) in forward mode (#217). Older gocryptfs versions will ignore the extended attributes.
  • Add -fsck function (#191)
  • Fix clobbered timestamps on MacOS High Sierra (#229)
  • Add -masterkey=stdin functionality (#218)
  • Accept -dev/-nodev, suid/nosuid, -exec/-noexec, -ro/-rw flags to make mounting via /etc/fstab possible. Thanks @mahkoh! (#233, commit, commit)
  • Fix a logger path issue on SuSE #225
  • Stop printing the help text on a "flag provided but not defined" error (commit)

v1.4.4, 2018-03-18

  • Overwrite secrets in memory with zeros as soon as possible (#211)
  • Fix Getdents problems on i386 and mips64le (#197, #200)
  • Make building with gccgo work (#201)
  • MacOS: fix osxfuse: vnode changed generation / Error code -36 issue in go-fuse (#213, commit)
  • Fix various test issues on MacOS

v1.4.3, 2018-01-21

  • Fix several symlink race attacks in connection with reverse mode and allow_other. Thanks to @slackner for reporting and helping to fix the issues:
    • Fix symlink races in reverse mode (issue #165)
    • Fix symlink races in connection with -allow_other (issue #177)
  • Fix problems with special names when using -plaintextnames (issue #174)
  • Add -devrandom command-line option (commit)
  • Add -sharedstorage command-line option (commit, issue #156)
  • MacOS: let OSXFuse create the mountpoint if it does not exist (issue #194)

v1.4.2, 2017-11-01

  • Add Gopkg.toml file for dep vendoring and reproducible builds (issue #142)
  • MacOS: deal with .DS_Store files inside CIPHERDIR (issue #140)
  • Reverse mode: fix ENOENT error affecting names exactly 176 bytes long (issue #143)
  • Support kernels compiled with > 128 kiB FUSE request size (Synology NAS) (issue #145, commit)
  • Fix a startup hang when $PATH contains the mountpoint (issue #146)

v1.4.1, 2017-08-21

  • Use memory pools for buffer handling ( 3c6fe98, b2a23e9, 12c0101)
    • On my machine, this doubles the streaming read speed (see performance.txt)
  • Implement and use the getdents(2) syscall for a more efficient OpenDir implementation (e50a6a5)
  • Purge masterkey from memory as soon as possible (issue #137)
  • Reverse mode: fix inode number collision between .name and .diriv files (d12aa57)
  • Prevent the logger from holding stdout open (issue #130)
  • MacOS: make testing without openssl work properly (ccf1a84)
  • MacOS: specify a volume name (9f8e19b)
  • Enable writing to write-only files (issue #125)

v1.4, 2017-06-20

  • Switch to static binary releases
    • From gocryptfs v1.4, I will only release statically-built binaries. These support all Linux distributions but cannot use OpenSSL.
    • OpenSSL is still supported - just compile from source!
  • Add -force_owner option to allow files to be presented as owned by a different user or group from the user running gocryptfs. Please see caveats and guidance in the man page before using this functionality.
  • Increase open file limit to 4096 (#82).
  • Implement path decryption via ctlsock (#84). Previously, decryption was only implemented for reverse mode. Now both normal and reverse mode support both decryption and encryption of paths via ctlsock.
  • Add more specific exit codes for the most common failure modes, documented in CLI_ABI.md
  • Reverse mode: make sure hard-linked files always return the same ciphertext (commit 9ecf2d1a)
  • Display a shorter, friendlier help text by default.
  • Parallelize file content encryption by splitting data blocks into two threads (ticket#116)
  • Prefetch random nonces in the background (commit 80516ed)
  • Add -info option to pretty-print infos about a filesystem.

v1.3, 2017-04-29

  • Use HKDF to derive separate keys for GCM and EME
    • New feature flag: HKDF (enabled by default)
    • This is a forwards-compatible change. gocryptfs v1.3 can mount filesystems created by earlier versions but not the other way round.
  • Enable Raw64 filename encoding by default (gets rid of trailing == characters)
    • This is a forwards-compatible change. gocryptfs v1.3 can mount filesystems created by earlier versions but not the other way round.
  • Drop Go 1.4 compatibility. You now need Go 1.5 (released 2015-08-19) or higher to build gocryptfs.
  • Add -serialize_reads command-line option
    • This can greatly improve performance on storage that is very slow for concurrent out-of-order reads. Example: Amazon Cloud Drive (#92)
  • Reject file-header-only files (#90 2.2, commit)
  • Increase max password size to 2048 bytes (#93)
  • Use stable 64-bit inode numbers in reverse mode
    • This may cause problems for very old 32-bit applications that were compiled without Large File Support.
  • Passing "--" now also blocks "-o" parsing

v1.2.1, 2017-02-26

  • Add an integrated speed test, gocryptfs -speed
  • Limit password size to 1000 bytes and reject trailing garbage after the newline
  • Make the test suite work on Mac OS X
  • Handle additional corner cases in -ctlsock path sanitization
  • Use dedicated exit code 12 on "password incorrect"

v1.2, 2016-12-04

  • Add a control socket interface. Allows to encrypt and decrypt filenames. For details see backintime#644.
    • New command-line option: -ctlsock
  • Under certain circumstances, concurrent truncate and read could return an I/O error. This is fixed by introducing a global open file table that stores the file IDs (commit).
  • Coalesce 4kB ciphertext block writes up to the size requested through the write FUSE call (commit with benchmarks)
  • Add -noprealloc command-line option
    • Greatly speeds up writes on Btrfs (#63) at the cost of reduced out-of-space robustness.
    • This is a workaround for Btrfs' slow fallocate(2)
  • Preserve owner for symlinks an device files (fixes bug #64)
  • Include rendered man page gocryptfs.1 in the release tarball

v1.1.1, 2016-10-30

  • Fix a panic on setting file timestamps (go-fuse#131)
  • Work around an issue in tmpfs that caused a panic in xfstests generic/075 (gocryptfs#56)
  • Optimize NFS streaming writes (commit)

v1.1, 2016-10-19

  • Add reverse mode (#19)
    • AES-SIV (RFC5297) encryption to implement deterministic encryption securely. Uses the excellent jacobsa/crypto library. The corresponding feature flag is called AESSIV.
    • New command-line options: -reverse, -aessiv
    • Filesystems using reverse mode can only be mounted with gocryptfs v1.1 and later.
    • The default, forward mode, stays fully compatible with older versions. Forward mode will keep using GCM because it is much faster.
  • Accept -o foo,bar,baz-style options that are passed at the end of the command-line, like mount(1) does. All other options must still precede the passed paths.
    • This allows mounting from /etc/fstab. See #45 for details.
    • Mounting on login using pam_mount works as well. It is described in the wiki.
  • To prevent confusion, the old -o option had to be renamed. It is now called -ko. Arguments to -ko are passed directly to the kernel.
  • New -passfile command-line option. Provides an easier way to read the password from a file. Internally, this is equivalent to -extpass "/bin/cat FILE".
  • Enable changing the password when you only know the master key (#28)

v1.0, 2016-07-17

  • Deprecate very old filesystems, stage 3/3
    • Filesystems created by v0.6 can no longer be mounted
    • Drop command-line options -gcmiv128, -emenames, -diriv. These are now always enabled.
  • Add fallocate(2) support
  • New command-line option -o
    • Allows to pass mount options directly to the kernel
  • Add support for device files and suid binaries
    • Only works when running as root
    • Must be explicitly enabled by passing "-o dev" or "-o suid" or "-o suid,dev"
  • Experimental Mac OS X support. See ticket #15 for details.

v0.12, 2016-06-19

  • Deprecate very old filesystems, stage 2/3
    • Filesystems created by v0.6 and older can only be mounted read-only
    • A message explaining the situation is printed as well
  • New command line option: -ro
    • Mounts the filesystem read-only
  • Accept password from stdin as well (ticket #30)

v0.11, 2016-06-10

  • Deprecate very old filesystems, stage 1/3
    • Filesystems created by v0.6 and older can still be mounted but a warning is printed
    • See ticket #29 for details and join the discussion
  • Add rsync stress test "pingpong-rsync.bash"
    • Fix chown and utimens failures that caused rsync to complain
  • Build release binaries with Go 1.6.2
    • Big speedup for CPUs with AES-NI, see ticket #23

v0.10, 2016-05-30

  • Replace spacemonkeygo/openssl with stupidgcm
    • gocryptfs now has its own thin wrapper to OpenSSL's GCM implementation called stupidgcm.
    • This should fix the compile issues people are seeing with spacemonkeygo/openssl. It also gets us a 20% performance boost for streaming writes.
  • Automatically choose between OpenSSL and Go crypto issue #23
    • Go 1.6 added an optimized GCM implementation in amd64 assembly that uses AES-NI. This is faster than OpenSSL and is used if available. In all other cases OpenSSL is much faster and is used instead.
    • -openssl=auto is the new default
    • Passing -openssl=true/false overrides the autodetection.
  • Warn but continue anyway if fallocate(2) is not supported by the underlying filesystem, see issue #22
    • Enables to use gocryptfs on ZFS and ext3, albeit with reduced out-of-space safety.
  • Fix statfs, by @lxp
  • Fix a fsstress failure in the go-fuse library.

v0.9, 2016-04-10

  • Long file name support
    • gocryptfs now supports file names up to 255 characters.
    • This is a forwards-compatible change. gocryptfs v0.9 can mount filesystems created by earlier versions but not the other way round.
  • Refactor gocryptfs into multiple "internal" packages
  • New command-line options:
    • -longnames: Enable long file name support (default true)
    • -nosyslog: Print messages to stdout and stderr instead of syslog (default false)
    • -wpanic: Make warning messages fatal (used for testing)
    • -d: Alias for -debug
    • -q: Alias for -quiet

v0.8, 2016-01-23

  • Redirect output to syslog when running in the background
  • New command-line option:
    • -memprofile: Write a memory allocation debugging profile the specified file

v0.7.2, 2016-01-19

  • Fix performance issue in small file creation
    • This brings performance on-par with EncFS paranoia mode, with streaming writes significantly faster
    • The actual fix is in the go-fuse library. There are no code changes in gocryptfs.

v0.7.1, 2016-01-09

  • Make the build.bash script compatible with Go 1.3
  • Disable fallocate on OSX (system call not available)
  • Introduce pre-built binaries for Fedora 23 and Debian 8

v0.7, 2015-12-20

  • Extend GCM IV size to 128 bit from Go's default of 96 bit
    • This pushes back the birthday bound to make IV collisions virtually impossible
    • This is a forwards-compatible change. gocryptfs v0.7 can mount filesystems created by earlier versions but not the other way round.
  • New command-line option:
    • -gcmiv128: Use 128-bit GCM IVs (default true)

v0.6, 2015-12-08

  • Wide-block filename encryption using EME + DirIV
    • EME (ECB-Mix-ECB) provides even better security than CBC as it fixes the prefix leak. The used Go EME implementation is https://github.com/rfjakob/eme which is, as far as I know, the first implementation of EME in Go.
    • This is a forwards-compatible change. gocryptfs v0.6 can mount filesystems created by earlier versions but not the other way round.
  • New command-line option:
    • -emenames: Enable EME filename encryption (default true)

v0.5.1, 2015-12-06

  • Fix a rename regression caused by DirIV and add test case
  • Use fallocate to guard against out-of-space errors

v0.5, 2015-12-04

  • Stronger filename encryption: DirIV
    • Each directory gets a random 128 bit file name IV on creation, stored in gocryptfs.diriv
    • This makes it impossible to identify identically-named files across directories
    • A single-entry IV cache brings the performance cost of DirIV close to zero for common operations (see performance.txt)
    • This is a forwards-compatible change. gocryptfs v0.5 can mount filesystems created by earlier versions but not the other way round.
  • New command-line option:
    • -diriv: Use the new per-directory IV file name encryption (default true)
    • -scryptn: allows to set the scrypt cost parameter N. This option can be used for faster mounting at the cost of lower brute-force resistance. It was mainly added to speed up the automated tests.

v0.4, 2015-11-15

  • New command-line options:
    • -plaintextnames: disables filename encryption, added on user request
    • -extpass: calls an external program for prompting for the password
    • -config: allows to specify a custom gocryptfs.conf path
  • Add FeatureFlags gocryptfs.conf parameter
    • This is a config format change, hence the on-disk format is incremented
    • Used for ext4-style filesystem feature flags. This should help avoid future format changes. The first user is -plaintextnames.
  • On-disk format 2

v0.3, 2015-11-01

  • Add a random 128 bit file header to authenticate file->block ownership
    • This is an on-disk-format change
  • On-disk format 1

v0.2, 2015-10-11

  • Replace bash daemonization wrapper with native Go implementation
  • Better user feedback on mount failures

v0.1, 2015-10-07

  • First release
  • On-disk format 0
  • Mac OS X support

    Mac OS X support

    Go support Mac OS X, as does the FUSE library we use, go-fuse.

    gocrypts may actually work out of the box on OSX, but there probably are small issues that have to be sorted out.

    At the very least, gocryptfs has to be tested on OSX. As I do not have a Mac to test on, this would be an opportunity for somebody from the Mac community to step up. Please comment here if you are interested.

    feature request help wanted 
    opened by rfjakob 121
  • Feature Request: encryption primitives for devices without AES cpu instructions

    Feature Request: encryption primitives for devices without AES cpu instructions

    Hi @rfjakob,

    Thank you for this great application! The reverse mode is what really sets it apart from other options.

    I checked the issues, and it doesn't seem to be discussed yet, but what do you think about adding support for a different collection of encryption primitives that are better suited for more low-end devices?

    I'm running gocryptfs on a few ARMv6/7 based NAS machines, they are nice: low energy, and quite fast. But they lack native AES instructions, my fastest ARM device (Odroid XU4) maxes out at 40MB/s, while for example the raspberry-pi's and friends are quite a bit slower (rpi1 is at 15MB/s).

    Maybe Google Adiantum (also added to linux kernel 5.0 for cryptfs) is a nice fit, Adiantum is based on XChaCha12 and Poly1305 and is roughly 5 quicker than AES-XTS for devices without AES instructions.

    For the reverse mode maybe something based on ChaCha20Poly1305?

    Just for comparison, on my Odroid XU4, ChaCha20Poly1305 runs at 320MB/s, on my RPi1 it gets close to 40MB/s.

    So I'm just wondering what your view is on this topic.

    Cheers, Davy

    feature request maybe some day ⌛ 
    opened by DavyLandman 79
  • xfstests generic/273 failure

    xfstests generic/273 failure

    Needs further analysis:

    _porter 28 not complete
    cp: cannot create regular file '/var/tmp/check-gocryptfs/scratchdir/sub_28/origin/file_548': No such file or directory


    bug bug outside gocryptfs 
    opened by rfjakob 36
  • macOS (Error code -36) while copying

    macOS (Error code -36) while copying

    Hey there,

    I am getting this (title) message very often while copying data. In the System Console I see:

    19/02/18 21:25:51,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:51,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:51,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:51,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:51,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:51,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:52,000 kernel[0]: osxfuse: vnode changed generation
    19/02/18 21:25:53,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:53,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:53,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:53,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:53,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)
    19/02/18 21:25:53,000 kernel[0]: osxfuse: fuse_vnop_readdir failed (err=22)

    Although this seems to occur sometimes without the error in Finder. When I copy via cpthen some files do not get copied and cp prints Stale NFS file handle

    The debug output of gocrypt itself does not show any errors. I am using version gocryptfs v1.4.3; go-fuse [vendored]; 2018-02-02 go1.9.3 (Homebrew) and OSX Fuse version 3.7.1.

    Thanks a lot, Magnus

    opened by magnusja 36
  • macOS: modification and creation dates reset

    macOS: modification and creation dates reset

    I started using gocryptfs (latest version) on macOS High Sierra and noticed that each time I eject my encrypted volume and remount it, that the creation and modification dates are reset to 1970-01-01. Is this expected behaviour?

    I mount my dirs using

    gocryptfs -ko local /path/to/encDir /Volumes/encDir

    Also mounting them without the -ko local option has the same result.

    opened by alexanderharm 35
  • Feature Request: Reverse Mode

    Feature Request: Reverse Mode

    Add an option similar to the --reverse option for encfs:

    Normally EncFS provides a plaintext view of data on demand. Normally it stores enciphered data and displays plaintext data. With --reverse it takes as source plaintext data and produces enciphered data on-demand. This can be useful for creating remote encrypted backups, where you do not wish to keep the local files unencrypted.

    For example, the following would create an encrypted view in /tmp/crypt-view.

    encfs --reverse /home/me /tmp/crypt-view You could then copy the /tmp/crypt-view directory in order to have a copy of the encrypted data. You must also keep a copy of the file /home/me/.encfs5 which contains the filesystem information. Together, the two can be used to reproduce the unencrypted data: ENCFS5_CONFIG=/home/me/.encfs5 encfs /tmp/crypt-view /tmp/plain-view Now /tmp/plain-view contains the same data as /home/me Note that --reverse mode only works with limited configuration options, so many settings may be disabled when used.

    (Quote from encfs man page)

    feature request 
    opened by usr42 30
  • Poor read performance with network backend

    Poor read performance with network backend

    Use case

    • /tmp/encrypted is an Amazon Cloud Drive folder, mounted read-only using rclone
    • /tmp/clear is the gocryptfs deciphered version of the above.

    Copying a 300MB file (ciphered) from /tmp/encrypted, I get around 5-6MBps, which is OK, considering my bandwidth is 10MBps. Copying the same file from /tmp/clear yields extremely poor speeds (from 100KBps to 1MBps). Speed is not limited by the CPU. Tracing read requests in rclone shows read sizes from 4KB to 128KB occuring at low frequency (thus low througput)

    Any advice would be greatly appreciated.


    • Debian Stretch, x86_64
    • gocryptfs 1.2.1
    • Ciphered volume has the following features:
      • version: 2
      • flags: GCMIV128, DirIV, EMENames, LongNames, AESSIV
    • rclone 1.35, mount max-read-ahead set to 16MB
    opened by j-vizcaino 28
  • gocryptfs for Windows - Cross-platform support

    gocryptfs for Windows - Cross-platform support

    Because it's Go, could it be made to run on Windows as well? (Cross-platform support is an attractive feature.)

    The problem with windows is that it does not have FUSE support. Linux has it built-in and Mac has the OSXFuse project. On windows, the only thing i am aware of is http://encfsmp.sourceforge.net/ . They SOMEHOW managed to get encfs (which also uses FUSE) running on windows, using a closed-source windows kernel driver and lots of black magic.

    See discussion here https://github.com/rfjakob/gocryptfs/issues/2#issuecomment-152955769 and here https://github.com/rfjakob/gocryptfs/issues/2#issuecomment-152962990

    feature request help wanted 
    opened by dakkusingh 27
  • Dircache should handle fd == 0 as a valid file descriptor

    Dircache should handle fd == 0 as a valid file descriptor

    While rather unlikely in practice, a file descriptor of 0 is completely valid and should not be treated as an error [1]. Both open and Dup typically return the smallest available file descriptor and only negative values are errors. If the user starts gocryptfs with stdin (fd == 0) closed and triggers the dircache code fast enough (not sure if that is actually possible), this could lead to a panic / unexpected behavior (e.g., in the fd validation in Store).

    [1] https://unix.stackexchange.com/questions/100611/aix-open-file-descriptor-is-zero

    opened by slackner 25
  • Cannot initialize gocryptfs due to

    Cannot initialize gocryptfs due to "WriteDirIV: open .../cipher/gocryptfs.diriv: permission denied"

    I'm trying to set up gocryptfs on Ubuntu 14.04.1 LTS. I downloaded the binary release 1.2.1 from here (Debian version) and tried initilaizing a folder. But I get the mentioned error:

    $ cd ~ $ mkdir plain cipher $ ./gocryptfs -init cipher Choose a password for protecting your files. Password: Repeat: WriteDirIV: open /home/<username>/cipher/gocryptfs.diriv: permission denied open /home/<username>/cipher/gocryptfs.diriv: permission denied

    In case this matters: my home folder is an NFS4 mount.

    opened by Natanji 25
  • fido2: user verification switch

    fido2: user verification switch "-v" causes fido2-cred to return FIDO_ERR_UNSUPPORTED_OPTION when device has no biometric function

    default compilation results in the output below, with reported error 'FIDO_ERR_UNSUPPORTED_OPTION'

    $ gocryptfs -init -d -fido2="IOService:/AppleACPIPlatformExpert/[email protected]/AppleACPIPCI/[email protected]/[email protected]/[email protected]/YubiKey [email protected]/[email protected]/AppleUserUSBHostHIDDevice" foo.gocryptfs OpenSSL disabled, using Go GCM FIDO2 Register: interact with your device ... callFidoCommand: executing "/usr/local/bin/fido2-cred" with args [fido2-cred -M -h -v IOService:/AppleACPIPlatformExpert/[email protected]/AppleACPIPCI/[email protected]/[email protected]/[email protected]/YubiKey [email protected]/[email protected]/AppleUserUSBHostHIDDevice] fido2-cred: fido_dev_make_cred: FIDO_ERR_UNSUPPORTED_OPTION fido2-cred failed with exit status 1

    calling the reported command line shows that the space in the device string is the troublemaker [Edit : wrong assumption. -v was the root cause] $ fido2-cred -M -h -v IOService:/AppleACPIPlatformExpert/[email protected]/AppleACPIPCI/[email protected]/[email protected]/[email protected]/YubiKey [email protected]/[email protected]/AppleUserUSBHostHIDDevice fido2-cred: unknown type OTP+F[email protected]/[email protected]/AppleUserUSBHostHIDDevice

    I added the patch below to the brew formula in order to have the space escaped :

    inreplace "./internal/fido2/fido2.go",
              " device)",
              ' fmt.Sprintf("%s",strings.ReplaceAll(device," ","\\\\\\\\ ")))'

    results after the patch : the space is now escaped, and the reported error changed to 'FIDO_ERR_INTERNAL'

    $ gocryptfs -init -d -fido2="IOService:/AppleACPIPlatformExpert/[email protected]/AppleACPIPCI/[email protected]/[email protected]/[email protected]/YubiKey [email protected]/[email protected]/AppleUserUSBHostHIDDevice" foo.gocryptfs OpenSSL disabled, using Go GCM FIDO2 Register: interact with your device ... callFidoCommand: executing "/usr/local/bin/fido2-cred" with args [fido2-cred -M -h -v IOService:/AppleACPIPlatformExpert/[email protected]/AppleACPIPCI/[email protected]/[email protected]/[email protected]/YubiKey\ [email protected]/[email protected]/AppleUserUSBHostHIDDevice] fido2-cred: fido_dev_open IOService:/AppleACPIPlatformExpert/[email protected]/AppleACPIPCI/[email protected]/[email protected]/[email protected]/YubiKey\ [email protected]/[email protected]/AppleUserUSBHostHIDDevice: FIDO_ERR_INTERNAL fido2-cred failed with exit status 1

    invoking fido2-creds with the latest reported command line does not report any error. I'm still investigating to find what goes wrong.

    opened by GaelC92 23
  • gocryptfs -init returned 'fatal error: runtime: out of memory' when using '-scryptn' option with values 24 and above

    gocryptfs -init returned 'fatal error: runtime: out of memory' when using '-scryptn' option with values 24 and above

    Team, I hit an issue when using the following version of gocryptfs: gocryptfs v2.3 without_openssl; go-fuse v2.1.1-0.20211219085202-934a183ed914; 2022-08-28 go1.19 linux/amd6

    Here are my computer details:

    • uname -a returned Linux xubuntu 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    • cat /etc/*release* showed:
    PRETTY_NAME="Ubuntu 22.04 LTS"
    VERSION="22.04 (Jammy Jellyfish)"
    • lsmem showed:
    RANGE                                 SIZE  STATE REMOVABLE  BLOCK
    0x0000000000000000-0x000000007fffffff   2G online       yes   0-15
    0x0000000100000000-0x000000047fffffff  14G online       yes 32-143
    Memory block size:       128M
    Total online memory:      16G
    Total offline memory:      0B
    • lscpu showed:
    Architecture:            x86_64
      CPU op-mode(s):        32-bit, 64-bit
      Address sizes:         39 bits physical, 48 bits virtual
      Byte Order:            Little Endian
    CPU(s):                  4
      On-line CPU(s) list:   0-3
    Vendor ID:               GenuineIntel
      Model name:            Intel(R) Core(TM) m7-6Y75 CPU @ 1.20GHz
        CPU family:          6
        Model:               78
        Thread(s) per core:  2
        Core(s) per socket:  2
        Socket(s):           1
        Stepping:            3
        CPU max MHz:         3100.0000
        CPU min MHz:         400.0000
        BogoMIPS:            2400.00
        Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mc
                             a cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss 
                             ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art
                              arch_perfmon pebs bts rep_good nopl xtopology nonstop_
                             tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cp
                             l vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid ss
                             e4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes 
                             xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_f
                             ault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow
                              vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust 
                             sgx bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx sma
                             p clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dt
                             herm ida arat pln pts hwp hwp_notify hwp_act_window hwp
                             _epp md_clear flush_l1d
    Virtualization features: 
      Virtualization:        VT-x
    Caches (sum of all):     
      L1d:                   64 KiB (2 instances)
      L1i:                   64 KiB (2 instances)
      L2:                    512 KiB (2 instances)
      L3:                    4 MiB (1 instance)
      NUMA node(s):          1
      NUMA node0 CPU(s):     0-3
      Itlb multihit:         KVM: Mitigation: VMX disabled
      L1tf:                  Mitigation; PTE Inversion; VMX conditional cache flushe
                             s, SMT vulnerable
      Mds:                   Mitigation; Clear CPU buffers; SMT vulnerable
      Meltdown:              Mitigation; PTI
      Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl
                              and seccomp
      Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer
      Spectre v2:            Mitigation; Retpolines, IBPB conditional, IBRS_FW, STIB
                             P conditional, RSB filling
      Srbds:                 Mitigation; Microcode
      Tsx async abort:       Mitigation; TSX disabled

    When I used the -init with -scryptn 23_, I didn't observe any error (files is the name of the directory and master keys have been removed from the output):

    gocryptfs -init -raw64 -xchacha -noexec -fg -nosyslog -scryptn 23 files
    Choose a password for protecting your files.
    Your master key is:
    If the gocryptfs.conf file becomes corrupted or you ever forget your password,
    there is only one hope for recovery: The master key. Print it to a piece of
    paper and store it in a drawer. This message is only printed once.
    The gocryptfs filesystem has been created successfully.
    You can now mount it using: gocryptfs files MOUNTPOINT

    When I use 24 (and above as well - for eg 26 and 28) as the value of the -scryptn option, I see:

    gocryptfs -init -raw64 -xchacha -noexec -fg -nosyslog -scryptn 24 files
    Choose a password for protecting your files.
    Your master key is:
    If the gocryptfs.conf file becomes corrupted or you ever forget your password,
    there is only one hope for recovery: The master key. Print it to a piece of
    paper and store it in a drawer. This message is only printed once.
    fatal error: runtime: out of memory
    runtime stack:
    runtime.throw({0x64e8b2?, 0x2030?})
    	runtime/panic.go:1047 +0x5d fp=0x7ffc64780170 sp=0x7ffc64780140 pc=0x43667d
    runtime.sysMapOS(0xc000400000, 0x400000000?)
    	runtime/mem_linux.go:187 +0x11b fp=0x7ffc647801b8 sp=0x7ffc64780170 pc=0x41829b
    runtime.sysMap(0x7f67a0?, 0x7f8da3c85000?, 0x42b7a0?)
    	runtime/mem.go:142 +0x35 fp=0x7ffc647801e8 sp=0x7ffc647801b8 pc=0x417c75
    runtime.(*mheap).grow(0x7f67a0, 0x200000?)
    	runtime/mheap.go:1459 +0x23d fp=0x7ffc64780258 sp=0x7ffc647801e8 pc=0x42879d
    runtime.(*mheap).allocSpan(0x7f67a0, 0x200000, 0x0, 0x1)
    	runtime/mheap.go:1191 +0x1be fp=0x7ffc647802f0 sp=0x7ffc64780258 pc=0x427efe
    	runtime/mheap.go:910 +0x65 fp=0x7ffc64780338 sp=0x7ffc647802f0 pc=0x427985
    	runtime/asm_amd64.s:492 +0x49 fp=0x7ffc64780340 sp=0x7ffc64780338 pc=0x467829
    goroutine 1 [running]:
    	runtime/asm_amd64.s:459 fp=0xc00008d3e8 sp=0xc00008d3e0 pc=0x4677c0
    runtime.(*mheap).alloc(0x40ca3e?, 0x7f8d7c675218?, 0xe0?)
    	runtime/mheap.go:904 +0x65 fp=0xc00008d430 sp=0xc00008d3e8 pc=0x4278c5
    runtime.(*mcache).allocLarge(0x7f8da3ca5a68?, 0x400000000, 0x1)
    	runtime/mcache.go:233 +0x85 fp=0xc00008d480 sp=0xc00008d430 pc=0x416c05
    runtime.mallocgc(0x400000000, 0x602e60, 0x1)
    	runtime/malloc.go:1029 +0x57e fp=0xc00008d4f8 sp=0xc00008d480 pc=0x40d13e
    runtime.makeslice(0x0?, 0x7deca0?, 0xc00008d570?)
    	runtime/slice.go:103 +0x52 fp=0xc00008d520 sp=0xc00008d4f8 pc=0x44e0d2
    golang.org/x/crypto/scrypt.Key({0xc000124980?, 0x4, 0x8}, {0xc0001300e0, 0x20, 0x20}, 0x1000000, 0xc0001300e0?, 0x1, 0x20)
    	golang.org/x/[email protected]/scrypt/scrypt.go:204 +0x18a fp=0xc00008d5d8 sp=0xc00008d520 pc=0x570daa
    github.com/rfjakob/gocryptfs/v2/internal/configfile.(*ScryptKDF).DeriveKey(0xc00016cfc8, {0xc000124980, 0x4, 0x8})
    	github.com/rfjakob/gocryptfs/v2/internal/configfile/scrypt.go:70 +0xd3 fp=0xc00008d660 sp=0xc00008d5d8 pc=0x573693
    github.com/rfjakob/gocryptfs/v2/internal/configfile.(*ConfFile).EncryptKey(0xc00016cfa0, {0xc000130080, 0x20, 0x20}, {0xc000124980, 0x4, 0x8}, 0x30?)
    	github.com/rfjakob/gocryptfs/v2/internal/configfile/config_file.go:246 +0x12d fp=0xc00008d738 sp=0xc00008d660 pc=0x572d0d
    	github.com/rfjakob/gocryptfs/v2/internal/configfile/config_file.go:135 +0x885 fp=0xc00008d990 sp=0xc00008d738 pc=0x571905
    	github.com/rfjakob/gocryptfs/v2/init_dir.go:99 +0x507 fp=0xc00008db20 sp=0xc00008d990 pc=0x5e3967
    	github.com/rfjakob/gocryptfs/v2/main.go:325 +0xc94 fp=0xc00008df80 sp=0xc00008db20 pc=0x5e5734
    	runtime/proc.go:250 +0x212 fp=0xc00008dfe0 sp=0xc00008df80 pc=0x438ed2
    	runtime/asm_amd64.s:1594 +0x1 fp=0xc00008dfe8 sp=0xc00008dfe0 pc=0x4698a1
    goroutine 2 [force gc (idle)]:
    runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
    	runtime/proc.go:363 +0xd6 fp=0xc00003afb0 sp=0xc00003af90 pc=0x439296
    	runtime/proc.go:302 +0xad fp=0xc00003afe0 sp=0xc00003afb0 pc=0x43912d
    	runtime/asm_amd64.s:1594 +0x1 fp=0xc00003afe8 sp=0xc00003afe0 pc=0x4698a1
    created by runtime.init.6
    	runtime/proc.go:290 +0x25
    goroutine 17 [GC sweep wait]:
    runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
    	runtime/proc.go:363 +0xd6 fp=0xc000036790 sp=0xc000036770 pc=0x439296
    	runtime/mgcsweep.go:278 +0x8e fp=0xc0000367c8 sp=0xc000036790 pc=0x42496e
    	runtime/mgc.go:178 +0x26 fp=0xc0000367e0 sp=0xc0000367c8 pc=0x419626
    	runtime/asm_amd64.s:1594 +0x1 fp=0xc0000367e8 sp=0xc0000367e0 pc=0x4698a1
    created by runtime.gcenable
    	runtime/mgc.go:178 +0x6b
    goroutine 18 [GC scavenge wait]:
    runtime.gopark(0xc000094000?, 0x697f48?, 0x1?, 0x0?, 0x0?)
    	runtime/proc.go:363 +0xd6 fp=0xc000036f70 sp=0xc000036f50 pc=0x439296
    	runtime/mgcscavenge.go:389 +0x53 fp=0xc000036fa0 sp=0xc000036f70 pc=0x422a13
    	runtime/mgcscavenge.go:617 +0x45 fp=0xc000036fc8 sp=0xc000036fa0 pc=0x422fe5
    	runtime/mgc.go:179 +0x26 fp=0xc000036fe0 sp=0xc000036fc8 pc=0x4195c6
    	runtime/asm_amd64.s:1594 +0x1 fp=0xc000036fe8 sp=0xc000036fe0 pc=0x4698a1
    created by runtime.gcenable
    	runtime/mgc.go:179 +0xaa
    goroutine 33 [finalizer wait]:
    runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0xc00003a770?)
    	runtime/proc.go:363 +0xd6 fp=0xc00003a628 sp=0xc00003a608 pc=0x439296
    	runtime/mfinal.go:180 +0x10f fp=0xc00003a7e0 sp=0xc00003a628 pc=0x41872f
    	runtime/asm_amd64.s:1594 +0x1 fp=0xc00003a7e8 sp=0xc00003a7e0 pc=0x4698a1
    created by runtime.createfing
    	runtime/mfinal.go:157 +0x45
    goroutine 34 [chan send]:
    runtime.gopark(0x0?, 0xc00003e400?, 0x28?, 0x67?, 0x56979e?)
    	runtime/proc.go:363 +0xd6 fp=0xc0001566d8 sp=0xc0001566b8 pc=0x439296
    runtime.chansend(0xc0001000c0, 0xc0001567a0, 0x1, 0x0?)
    	runtime/chan.go:259 +0x42c fp=0xc000156760 sp=0xc0001566d8 pc=0x405acc
    runtime.chansend1(0x0?, 0x0?)
    	runtime/chan.go:145 +0x1d fp=0xc000156790 sp=0xc000156760 pc=0x40567d
    	github.com/rfjakob/gocryptfs/v2/internal/cryptocore/randprefetch.go:51 +0x47 fp=0xc0001567c8 sp=0xc000156790 pc=0x56c2c7
    	github.com/rfjakob/gocryptfs/v2/internal/cryptocore/randprefetch.go:16 +0x26 fp=0xc0001567e0 sp=0xc0001567c8 pc=0x56bd66
    	runtime/asm_amd64.s:1594 +0x1 fp=0xc0001567e8 sp=0xc0001567e0 pc=0x4698a1
    created by github.com/rfjakob/gocryptfs/v2/internal/cryptocore.init.0
    	github.com/rfjakob/gocryptfs/v2/internal/cryptocore/randprefetch.go:16 +0x6b

    This is my first time using gocryptfs and it is possible I might have used it incorrectly (I did go through the manpage though). I searched through all the github issues but I couldn't find one that matched what I observed. Hence, I created a new one (pardon me in case I didn't search thoroughly and the issue was already reported).

    If there is any additional information needed (for eg. trying out debug builds), please let me know.

    opened by praveenbhamidipati 0
  • RFE auto detect FIDO2 device

    RFE auto detect FIDO2 device

    during mount, before asking for a FIDO device (used during init) try to find a device. if there is only one device use this device if there are no devices or more than one, report the issue and ask for a device (same as now)

    opened by schaarsc 0
  • RFE: add fido2-with-client-pin

    RFE: add fido2-with-client-pin

    in https://github.com/rfjakob/gocryptfs/issues/571 user verification was removed. as a result currently only user presence is configured. I did not find an option to enable client pin.

    I'd like to suggest to add options similar to systemd-cryptenroll

    • fido2-device
    • fido2-with-client-pin=BOOL, defaul=yes
    • fido2-with-user-presence=BOOL, default=yes
    • fido2-with-user-verification=BOOL, default=no

    the selected options should be added to gocryptfs.conf

    Possible solution depending on the selected option, add -t [up|uv|pin]to line https://github.com/rfjakob/gocryptfs/blob/69d88505fd7f4cb0d9e4f1918de296342fe05858/internal/fido2/fido2.go#L44

    opened by schaarsc 0
  • Operation not Permitted when using rclone/dropbox as backend

    Operation not Permitted when using rclone/dropbox as backend

    Regardless of root or non-root, gocryptfs works out of the box, as long I operate on natiave volumes (ext4)

    But when I try to use an encrypted folder, located on a rclone mounted volume, it does not work. The target folder would be outside of the volume, of course.

    I always get an Operation not permitted, when I try to create files. Creating folders works. Of course, I also tried every possible combination of ownership, permissions, and even the allow_all/force_owner.

    Site note: encfs works without any errors.

    OS: Debian 11 rclone: 1.60.1 gocryptfs: 1.8 and 2.3

    opened by arakis 0
  • Request: if run as uid 0 in unpriv userns, use mount instead of fusermount

    Request: if run as uid 0 in unpriv userns, use mount instead of fusermount

    Recent linux kernels (I think after 4.18?) allow mounts within unprivileged namespaces without using a suid like fusermount. This is especially advantageous within unprivileged sandboxes that have nonewprivs set (for example, flatpaks and other things using bwrap), hence cannot use suids like fusermount even if any are installed. Is it possible for gocryptfs to attempt to use mount before falling back on fusermount in such cases?

    opened by jonleivent 2
A FileSystem Abstraction System for Go

A FileSystem Abstraction System for Go Overview Afero is a filesystem framework providing a simple, uniform and universal API interacting with any fil

Steve Francia 4.9k Jan 9, 2023
A package to allow one to concurrently go through a filesystem with ease

skywalker Skywalker is a package to allow one to concurrently go through a filesystem with ease. Features Concurrency BlackList filtering WhiteList fi

Will Dixon 87 Nov 14, 2022
An implementation of the FileSystem interface for tar files.

TarFS A wrapper around tar.Reader. Implements the FileSystem interface for tar files. Adds an Open method, that enables reading of file according to i

Eyal Posener 51 Sep 26, 2022
Takes an input http.FileSystem (likely at go generate time) and generates Go code that statically implements it.

vfsgen Package vfsgen takes an http.FileSystem (likely at go generate time) and generates Go code that statically implements the provided http.FileSys

null 955 Dec 18, 2022
memfs: A simple in-memory io/fs.FS filesystem

memfs: A simple in-memory io/fs.FS filesystem memfs is an in-memory implementation of Go's io/fs.FS interface. The goal is to make it easy and quick t

Peter Sanford 79 Jan 8, 2023
A Go io/fs filesystem implementation for reading files in a Github gists.

GistFS GistFS is an io/fs implementation that enables to read files stored in a given Gist. Requirements This module depends on io/fs which is only av

Jean Hadrien Chabran 126 Oct 14, 2022
A Small Virtual Filesystem in Go

This is a virtual filesystem I'm coding to teach myself Go in a fun way. I'm documenting it with a collection of Medium posts that you can find here.

Alyson 32 Dec 11, 2022
CRFS: Container Registry Filesystem

CRFS: Container Registry Filesystem Discussion: https://github.com/golang/go/issues/30829 Overview CRFS is a read-only FUSE filesystem that lets you m

Google 1.3k Dec 26, 2022
Go filesystem implementations for various URL schemes

hairyhenderson/go-fsimpl This module contains a collection of Go filesystem implementations that can discovered dynamically by URL scheme. All filesys

Dave Henderson 238 Dec 28, 2022
A Go filesystem package for working with files and directories

Stowage A Go filesystem package for working with files and directories, it features a simple API with support for the common files and directories ope

null 19 May 28, 2021
filesystem for golang

filesystem filesystem for golang installation go get github.com/go-component/filesystem import import "github.com/go-component/filesystem" Usage sup

null 5 Nov 1, 2022
A set of io/fs filesystem abstractions and utilities for Go

A set of io/fs filesystem abstractions and utilities for Go Please ⭐ this project Overview This package provides io/fs interfaces for: Cloud providers

null 10 Nov 19, 2022
Tarserv serves streaming tar files from filesystem snapshots.

tarserv A collection of tools that allow serving large datasets from local filesystem snapshots. It is meant for serving big amounts of data to shell

Aurora 1 Jan 11, 2022
Grep archive search in any files on the filesystem, in archive and even inner archive.

grep-archive Grep archive search for string in any files on the filesystem, in archive and even inner archive. Supported archive format are : Tar Form

Michel Prunet 0 Jan 26, 2022
Warp across your filesystem in ~5 ms

WarpDrive: the Go version. What does this do? Instead of having a huge cd routine to get where you want, with WarpDrive you use short keywords to warp

Ishan Goel 17 Dec 14, 2022
Encrypted File System in Go

Getting Started: Setup the environment: Install GoLang: $ sudo apt update $ sudo apt upgrade $ sudo apt install libssl-dev gcc pkg-config $ sudo apt

Lucky Verma 0 Apr 30, 2022
A PDF processor written in Go.

pdfcpu: a Go PDF processor pdfcpu is a PDF processing library written in Go supporting encryption. It provides both an API and a CLI. Supported are al

pdfcpu 4.4k Jan 8, 2023
Goful is a CUI file manager written in Go.

Goful Goful is a CUI file manager written in Go. Works on cross-platform such as gnome-terminal and cmd.exe. Displays multiple windows and workspaces.

anmitsu 300 Dec 28, 2022
A simple library for generating PDF written in Go lang

gopdf gopdf is a simple library for generating PDF document written in Go lang. Features Unicode subfont embedding. (Chinese, Japanese, Korean, etc.)

Signin Technology 1.8k Jan 3, 2023