gocryptfs is a FUSE-based encrypted filesystem that transparently encrypts and decrypts file contents and filenames on disk. It uses block-level authenticated encryption with AES-GCM or AES-SIV-512, binding each block to its file header and offset for integrity, while obfuscating filenames with EME or AES-SIV wide-block ciphers using per-directory initialization vectors. The system derives all encryption keys and initialization vectors deterministically from a master key using HKDF and SHA256, enabling reproducible ciphertext for reliable backup and synchronization workflows.
The project distinguishes itself through several key capabilities. It supports reverse-mode encryption overlays that create an encrypted view of a plaintext directory on the fly, allowing secure backups without modifying original files. Hardware security key authentication via FIDO2 tokens provides an alternative to password-based unlocking. The filesystem stores each file as a separate encrypted blob, enabling efficient incremental synchronization with cloud storage services like Dropbox or rsync. A master key recovery mechanism prints keys on mount, allowing data access even if configuration files or passwords are lost.
The encrypted filesystem supports standard operations including atomic renames, hard links, extended attributes, and fallocate calls. It includes filesystem integrity verification through structural scanning to detect tampering or errors. The project compiles into a static Go binary with embedded cryptographic libraries, enabling portable deployment without runtime dependencies.
