How to Encrypt Files with gocryptfs on Linux

A graphic of a terminal window on a laptop.Fatmawati Achmad Zaenuri / Shutterstock

Do you want to encrypt important files, but not the entire hard drive of your Linux system? If so, we recommend gocryptfs. You will get a directory that basically encrypts and decrypts whatever you store.

gocryptfs provides protection against data breaches

Confidentiality is big news. Hardly a week goes by without the announcement of a breach in one organization or another. Companies are reporting recent incidents or disclosing violations that occurred some time ago. Either way, that’s bad news for those whose data has been exposed.

Because millions of people use services like Dropbox, Google drive, and Microsoft OneDrive, a seemingly endless stream of data is being pushed into the cloud every day. If you store some (or all) of your data in the cloud, what can you do to protect classified information and private documents in the event of a breach?

Data breaches come in all shapes and sizes, of course, and they’re not limited to the cloud. A lost USB drive or a stolen laptop is just a smaller-scale data breach. But scale is not the critical factor. If the data is sensitive or confidential, another person can be disastrous.

One solution is to encrypt your documents. Traditionally, this is done by encrypting your entire hard drive. This is secure, but it also slows down your computer slightly. Additionally, if you experience a catastrophic outage, it can make the process of restoring your system from backups more difficult.

The gocryptfs system allows you to encrypt only the directories that need protection and to avoid overloading the encryption and decryption system. It is fast, light and easy to use. It is also easy to move encrypted directories to other computers. As long as you have the password to access this data, it leaves no trace of your files on the other computer.

The gocryptfs system is built as a lightweight, encrypted file system. It can also be mounted by standard non-root accounts, since it uses the File system in user space (FUSE) package. This acts as a bridge between gocryptfs and the kernel file system routines that it needs to access.

Installing gocryptfs

To install gocryptfs on ubuntu, type this command:

sudo apt-get install gocryptfs

sudo apt-get install gocryptfs in a terminal window.

To install it on Fedora type:

sudo dnf install gocryptfs

sudo dnf install gocryptfs in a terminal window

On Manjaro, the command is:

sudo pacman -Syu gocryptfs

sudo pacman -Syu gocryptfs in a terminal window

Creating an encrypted directory

Part of the glory of gocryptfs is its ease of use. The principles are:

Create a directory containing the files and subdirectories you are protecting.
Use gocryptrfs to initialize this directory.
Create an empty directory as a mount point, and mount the encrypted directory there.
In the mount point, you can view and use the decrypted files and create new ones.
Unmount the encrypted folder when you are finished.

We will create a directory called “safe” to hold the encrypted data. To do this, we type the following:

mkdir vault

mkdir vault in a terminal window.

We need to initialize our new directory. This step creates the gocryptfs file system in the directory:

gocryptfs -init safe

gocryptfs -init vault in a terminal window.

Enter a password when prompted. you will enter it twice to make sure it is correct. Pick a strong one: three words unrelated to punctuation, numbers or symbols are a good pattern.

Your master key is generated and displayed. Copy and save this in a safe and private place. In our example, we create a gocryptfs directory on a search machine which is deleted after each article is written.

As it is needed for an example, you can see the master key of this directory. You will definitely want to be a lot more secretive with yours. If someone gets your master key, they can access all of your encrypted data.

If you change to the new directory, you will see that two files have been created. Type the following:

cd safe
ls -ahl

cd safe in a terminal window.

“Gocryptfs.diriv” is a short binary file, while “gocryptfs.conf” contains settings and information that you need to keep safe.

If you upload your encrypted data to the cloud or back it up to small transportable media, do not include this file. If, however, you are backing up to local media that remains under your control, you can include this file.

With sufficient time and effort, it may be possible to extract your password from the “encrypted key” and “salt” entries, as shown below:

gocryptfs.conf chat

cat gocryptfs.conf in a terminal window.

Mounting the encrypted directory

The encrypted directory is mounted on a mount point, which is simply an empty directory. We are going to create one called “geek”:

mkdir geek

We can now mount the encrypted directory on the mount point. Strictly speaking, what is actually mounted is the gocryptfs filesystem inside the encrypted directory. We are asked for the password:

gocryptfs vault geek

When the encrypted directory is mounted, we can use the mount point directory just like any other. Everything we edit and create in this directory is actually written to the mounted and encrypted directory.

We can create a simple text file, like the following:

touch secret-notes.txt

We can edit it, add content to it, and then save the file:

gedit secret-notes.txt

Our new file has been created:


mkdir geek in a terminal window.

If we switch to our encrypted directory as shown below, we see that a new file has been created with an encrypted name. You can’t even tell what type of file it is from the name:

cd safe
ls -hl

cd safe in a terminal window.

If we try to view the contents of the encrypted file, we can see that it is really scrambled:

less aJGzNoczahiSif_gwGl4eAUnwxo9CvOa6kcFf4xVgYU

minus aJGzNoczahiSif_gwGl4eAUnwxo9CvOa6kcFf4xVgYU in a terminal window.

Our simple text file, shown below, is now anything but simple to decipher.

Contents of one less encrypted text file in a terminal window.

Unmounting the encrypted directory

When you are done with your encrypted directory, you can unmount it with the fusermount command. As part of the FUSE package, the following command unmounts the gocryptfs file system to the encrypted directory from the mount point:

fusermount -u geek

fusermount -u geek in a terminal window.

If you type the following to verify your mount point directory, you will see that it is still empty:


ls in a terminal window.

Everything you have done is stored securely in the encrypted directory.

Simple and secure

Simple systems have the advantage of being used more often, while more complicated processes tend to be left out. Using gocryptfs is not only simple, but also secure. Simplicity without security wouldn’t be worth it.

You can create as many encrypted directories as you need or just one to hold all of your sensitive data. You can also create a few aliases to mount and unmount your encrypted file system and further simplify the process.

RELATED: How to create aliases and shell functions in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.