# rfjakob/gocryptfs **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/rfjakob-gocryptfs).** 4,312 stars · 296 forks · Go · mit ## Links - GitHub: https://github.com/rfjakob/gocryptfs - Homepage: https://nuetzlich.net/gocryptfs/ - awesome-repositories: https://awesome-repositories.com/repository/rfjakob-gocryptfs.md ## Topics `encryption` `filesystem` `fuse` `gcm` `golang` ## Description gocryptfs is a FUSE-based encrypted filesystem that transparently encrypts and decrypts file contents and filenames on disk. It uses block-level authenticated encryption with AES-GCM or AES-SIV-512, binding each block to its file header and offset for integrity, while obfuscating filenames with EME or AES-SIV wide-block ciphers using per-directory initialization vectors. The system derives all encryption keys and initialization vectors deterministically from a master key using HKDF and SHA256, enabling reproducible ciphertext for reliable backup and synchronization workflows. The project distinguishes itself through several key capabilities. It supports reverse-mode encryption overlays that create an encrypted view of a plaintext directory on the fly, allowing secure backups without modifying original files. Hardware security key authentication via FIDO2 tokens provides an alternative to password-based unlocking. The filesystem stores each file as a separate encrypted blob, enabling efficient incremental synchronization with cloud storage services like Dropbox or rsync. A master key recovery mechanism prints keys on mount, allowing data access even if configuration files or passwords are lost. The encrypted filesystem supports standard operations including atomic renames, hard links, extended attributes, and fallocate calls. It includes filesystem integrity verification through structural scanning to detect tampering or errors. The project compiles into a static Go binary with embedded cryptographic libraries, enabling portable deployment without runtime dependencies. ## Tags ### DevOps & Infrastructure - [FUSE](https://awesome-repositories.com/f/devops-infrastructure/remote-file-system-mounts/encrypted-mounts/fuse.md) — Mounts encrypted directories as decrypted virtual filesystems via FUSE for transparent read/write access. - [Encrypted Mounts](https://awesome-repositories.com/f/devops-infrastructure/remote-file-system-mounts/encrypted-mounts.md) — Creates a decrypted virtual view of an encrypted folder using a FUSE filesystem so applications can read and write plaintext files. ([source](https://cdn.jsdelivr.net/gh/rfjakob/gocryptfs@master/README.md)) - [Reverse-Mode Overlays](https://awesome-repositories.com/f/devops-infrastructure/remote-file-system-mounts/encrypted-mounts/encrypted-overlay-management/reverse-mode-overlays.md) — Creates an encrypted view of a plaintext directory on the fly, enabling secure backups without modifying original files. - [Reverse-Mode Mounts](https://awesome-repositories.com/f/devops-infrastructure/remote-file-system-mounts/encrypted-mounts/reverse-mode-mounts.md) — Creates an encrypted view of a plaintext directory so you can back up unencrypted data without exposing the original content. ([source](https://cdn.jsdelivr.net/gh/rfjakob/gocryptfs@master/README.md)) ### Operating Systems & Systems Programming - [FUSE Virtual Filesystems](https://awesome-repositories.com/f/operating-systems-systems-programming/fuse-virtual-filesystems.md) — Intercepts filesystem calls through a FUSE kernel module to present an encrypted directory as a decrypted mount point transparently. - [Encrypted FUSE Filesystems](https://awesome-repositories.com/f/operating-systems-systems-programming/fuse-virtual-filesystems/encrypted-fuse-filesystems.md) — Provides an overlay filesystem that encrypts files on disk while presenting a decrypted view when mounted via FUSE. - [Encrypted File Name Hiding](https://awesome-repositories.com/f/operating-systems-systems-programming/system-administration-maintenance/file-system-management/file-systems/file-template-generators/dynamic-file-name-resolvers/file-name-identification/encrypted-file-name-hiding.md) — Encrypts file and directory names with per-directory IVs to prevent plaintext name exposure on disk. ([source](https://nuetzlich.net/gocryptfs/threat_model/)) - [Filename Encryption](https://awesome-repositories.com/f/operating-systems-systems-programming/system-administration-maintenance/file-system-management/file-systems/filename-templates/filename-parsers/filename-encryption.md) — Encrypts filenames with EME or AES-SIV wide-block ciphers using per-directory initialization vectors to hide directory structure. ### Part of an Awesome List - [File Encryption](https://awesome-repositories.com/f/awesome-lists/security/file-encryption.md) — Encrypts each file individually with AES-GCM and stores ciphertext alongside metadata so only the key holder can decrypt. ([source](https://nuetzlich.net/gocryptfs/threat_model/)) - [Block-Level Encryption](https://awesome-repositories.com/f/awesome-lists/security/file-encryption/block-level-encryption.md) — Encrypts file data in fixed-size blocks with AES-GCM, binding each block to its offset and file header for integrity. - [Block-Level Tampering Detection](https://awesome-repositories.com/f/awesome-lists/security/file-encryption/block-level-encryption/block-level-tampering-detection.md) — Detects unauthorized modifications to encrypted blocks on read and returns I/O errors while logging corruption to syslog. ([source](https://nuetzlich.net/gocryptfs/threat_model/)) - [Block Swapping Prevention](https://awesome-repositories.com/f/awesome-lists/security/file-encryption/block-level-encryption/block-swapping-prevention.md) — Binds each encrypted block to its file header and offset to prevent block swapping between files or positions. ([source](https://nuetzlich.net/gocryptfs/threat_model/)) - [Deterministic File Encryptions](https://awesome-repositories.com/f/awesome-lists/security/file-encryption/deterministic-file-encryptions.md) — Derives keys and IVs deterministically so ciphertext remains reproducible for cloud sync and backup tools. - [Deterministic Filename Encryptions](https://awesome-repositories.com/f/awesome-lists/security/file-encryption/deterministic-filename-encryptions.md) — Encrypts file names using a directory IV derived from the encrypted path so ciphertext names stay consistent for backup workflows. ([source](https://nuetzlich.net/gocryptfs/reverse_mode)) - [Deterministic Per-File Encryptions](https://awesome-repositories.com/f/awesome-lists/security/file-encryption/deterministic-per-file-encryptions.md) — Derives file content keys and IVs deterministically from the master key and file path using HKDF and SHA256. - [AES-SIV-512 File Encryptions](https://awesome-repositories.com/f/awesome-lists/security/file-encryption/aes-siv-512-file-encryptions.md) — Encrypts file data using deterministic authenticated encryption with AES-SIV-512, binding block numbers into IV and associated data. ([source](https://nuetzlich.net/gocryptfs/reverse_mode)) ### Security & Cryptography - [Authenticated File Encryptions](https://awesome-repositories.com/f/security-cryptography/authenticated-file-encryptions.md) — Protects file contents with GCM encryption and file names with EME wide-block encryption, using Scrypt for password hashing. ([source](https://nuetzlich.net/gocryptfs/)) - [Filesystem Initialization Vector Derivation](https://awesome-repositories.com/f/security-cryptography/deterministic-wallet-derivers/filesystem-initialization-vector-derivation.md) — Derives all IVs deterministically from encrypted file paths using SHA256 for reproducible ciphertext in backups. ([source](https://nuetzlich.net/gocryptfs/reverse_mode)) - [Cloud-Compatible](https://awesome-repositories.com/f/security-cryptography/encrypted-backups/cloud-compatible.md) — Stores each file as a separate encrypted blob for efficient incremental sync with Dropbox or rsync. - [Deterministic](https://awesome-repositories.com/f/security-cryptography/encrypted-backups/deterministic.md) — Derives keys and IVs deterministically so ciphertext remains reproducible for cloud sync and backup tools. - [Filesystem Initialization Vector Derivation](https://awesome-repositories.com/f/security-cryptography/key-derivation-schemes/address-derivation-schemes/program-derived-address-derivations/filesystem-initialization-vector-derivation.md) — Computes all IVs deterministically from encrypted file paths using SHA256 so encryption is reproducible without random values. ([source](https://nuetzlich.net/gocryptfs/reverse_mode_crypto/)) - [Deterministic File Content Key Derivation](https://awesome-repositories.com/f/security-cryptography/key-derivation-schemes/deterministic-file-content-key-derivation.md) — Generates file content keys from a master key using HKDF-SHA256, producing 64-byte keys for AES-SIV-512 encryption. ([source](https://nuetzlich.net/gocryptfs/reverse_mode)) - [AES-GCM File Encryptors](https://awesome-repositories.com/f/security-cryptography/privacy-data-protection/data-encryption/end-to-end-encryption/media-encryption/stream-encryption-and-decryption/aes-gcm-data-encryptors/aes-gcm-file-encryptors.md) — Protects file contents with authenticated AES-GCM and obfuscates filenames with EME wide-block encryption. - [Filesystem Name Obfuscation](https://awesome-repositories.com/f/security-cryptography/security/utilities/security-hardening-and-protection/code-obfuscators/semantic-naming-obfuscation/filesystem-name-obfuscation.md) — Obfuscates filenames with EME or AES-SIV wide-block encryption to hide directory structure and prevent name leakage. ([source](https://nuetzlich.net/gocryptfs/comparison/)) - [Hardware Security Key Authentications](https://awesome-repositories.com/f/security-cryptography/cryptographic-key-management/external-key-integration/hardware-key-importations/webauthn-hardware-key-authentications/hardware-security-key-authentications.md) — Unlocks encrypted volumes using FIDO2 hardware tokens instead of passwords for stronger access control. - [Encrypted Backups](https://awesome-repositories.com/f/security-cryptography/encrypted-backups.md) — Encrypts plain-text directories with deterministic encryption so backup tools can store ciphertext without exposing original content. ([source](https://nuetzlich.net/gocryptfs/reverse_mode_crypto/)) - [Hardware Authentication](https://awesome-repositories.com/f/security-cryptography/hardware-authentication.md) — Supports unlocking encrypted volumes using FIDO2 hardware tokens as an alternative to password entry. ([source](https://cdn.jsdelivr.net/gh/rfjakob/gocryptfs@master/README.md)) - [Master Key Recovery](https://awesome-repositories.com/f/security-cryptography/master-key-recovery.md) — Prints a master key on mount that allows data access even if the config file is lost or the password is forgotten. ([source](https://nuetzlich.net/gocryptfs/)) - [FIDO2 Token Authentications](https://awesome-repositories.com/f/security-cryptography/security-token-management/hardware-token-bridging/fido2-token-authentications.md) — Unlocks encrypted volumes using FIDO2 tokens instead of passwords for key management. - [Integrity Verifications](https://awesome-repositories.com/f/security-cryptography/security/cryptography-and-secrets/cryptographic-primitives-management/cryptographic-hash-computations/data-integrity-identifiers/integrity-verifications.md) — Scans encrypted directories for structural errors and detects tampering to ensure data consistency. ### Development Tools & Productivity - [Cloud File Sync](https://awesome-repositories.com/f/development-tools-productivity/cloud-file-sync.md) — Stores each file as a separate encrypted blob so standard tools like Dropbox or rsync can synchronize changes incrementally. ([source](https://nuetzlich.net/gocryptfs)) - [Encrypted Cloud Syncs](https://awesome-repositories.com/f/development-tools-productivity/cloud-file-sync/encrypted-cloud-syncs.md) — Places encrypted folders inside cloud-sync directories while keeping decrypted views outside for secure cloud synchronization. ([source](https://nuetzlich.net/gocryptfs/quickstart/))