开源软件名称：

开源软件地址：

开源编程语言：

开源软件介绍：

An encrypted overlay filesystem written in Go. Official website: https://nuetzlich.net/gocryptfs (markdown source).

gocryptfs is built on top the excellent go-fuse FUSE library. This project was inspired by EncFS and strives to fix its security issues while providing good performance (benchmarks). For details on the security of gocryptfs see the Security design document.

All tags from v0.4 onward are signed by the gocryptfs signing key. Please check Signed Releases for details.

Current Status

gocryptfs has reached version 1.0 on July 17, 2016. It has gone through hours and hours of stress (fsstress, extractloop.bash) and correctness testing (xfstests). It is now considered ready for general consumption.

The old principle still applies: Important data should have a backup. Also, keep a copy of your master key (printed on mount) in a safe place. This allows you to access the data even if the gocryptfs.conf config file is damaged or you lose the password.

The security of gocryptfs has been audited in March 3, 2017. The audit is available here (defuse.ca).

Platforms

Linux is gocryptfs' native platform.

Beta-quality macOS support is available, which means most things work fine but you may hit an occasional problem. Check out ticket #15 for the history of macOS support but please create a new ticket if you hit a problem.

For Windows, an independent C++ reimplementation can be found here: cppcryptfs

A standalone Python tool that can decrypt files & file names is here: gocryptfs-inspect

Installation

Precompiled binaries that work on all x86_64 Linux systems are available for download from the github releases page. The fuse package from your distribution must be installed for mounting to work.

gocryptfs is also available as a package in most distributions. Examples:

• Debian, Ubuntu: apt install gocryptfs
• Fedora: dnf install gocryptfs
• Arch: pacman -S gocryptfs
• MacPorts: port install gocryptfs

See the Quickstart page for more info.

Testing

gocryptfs comes with is own test suite that is constantly expanded as features are added. Run it using ./test.bash. It takes about 1 minute and requires FUSE as it mounts several test filesystems.

The stress_tests directory contains stress tests that run indefinitely.

In addition, I have ported xfstests to FUSE, the result is the fuse-xfstests project. gocryptfs passes the "generic" tests with one exception, results: XFSTESTS.md

A lot of work has gone into this. The testing has found bugs in gocryptfs as well as in the go-fuse library.

Compile

Install Go 1.13 or higher:

• Debian/Ubuntu: apt install golang
• Fedora: dnf install golang

Then, download the source code and compile:

$ git clone https://github.com/rfjakob/gocryptfs.git
$ cd gocryptfs
$ ./build-without-openssl.bash

This will compile a static binary that uses the Go stdlib crypto backend.

If you want to use the OpenSSL crypto backend (faster on old CPUs lacking AES-NI), you have to install a few dependencies:

• Debian/Ubuntu: apt install libssl-dev gcc pkg-config
• Fedora: dnf install openssl-devel gcc pkg-config

Then, run:

$ ./build.bash

Use

$ mkdir cipher plain
$ ./gocryptfs -init cipher
$ ./gocryptfs cipher plain

See the Quickstart page for more info.

The MANPAGE.md describes all available command-line options.

Use: Reverse Mode

$ mkdir cipher plain
$ ./gocryptfs -reverse -init plain
$ ./gocryptfs -reverse plain cipher

Graphical Interface

The SiriKali project supports gocryptfs and runs on Linux and OSX.

cppcryptfs on Windows provides its own GUI.

Stable CLI ABI

If you want to call gocryptfs from your app or script, see CLI_ABI.md for the official stable ABI. This ABI is regression-tested by the test suite.

Storage Overhead

• Empty files take 0 bytes on disk
• 18 byte file header for non-empty files (2 bytes version, 16 bytes random file id)
• 32 bytes of storage overhead per 4kB block (16 byte nonce, 16 bytes auth tag)

file-format.md contains a more detailed description.

Performance

Since version 0.7.2, gocryptfs is as fast as EncFS in the default mode, and significantly faster than EncFS' "paranoia" mode that provides a security level comparable to gocryptfs.

On CPUs without AES-NI, gocryptfs uses OpenSSL through a thin wrapper called stupidgcm. This provides a 4x speedup compared to Go's builtin AES-GCM implementation. See CPU-Benchmarks for details, or run gocryptfs -speed to see the encryption performance of your CPU. Example for a CPU with AES-NI:

$ ./gocryptfs -speed
gocryptfs v2.2.0-beta1-5-g52b0444-dirty; go-fuse v2.1.1-0.20210825171523-3ab5d95a30ae; 2021-09-14 go1.17.1 linux/amd64
cpu: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz; with AES acceleration
AES-GCM-256-OpenSSL              862.79 MB/s
AES-GCM-256-Go                   997.71 MB/s    (selected in auto mode)
AES-SIV-512-Go                   159.58 MB/s
XChaCha20-Poly1305-OpenSSL   729.65 MB/s
XChaCha20-Poly1305-Go            843.97 MB/s    (selected in auto mode)

You can run ./benchmark.bash to run gocryptfs' canonical set of benchmarks that include streaming write, extracting a linux kernel tarball, recursively listing and finally deleting it. The output will look like this:

$ ./benchmark.bash
Testing gocryptfs at /tmp/benchmark.bash.xFD: gocryptfs v2.0; go-fuse v2.1.1-0.20210508151621-62c5aa1919a7; 2021-06-06 go1.16.5 linux/amd64
WRITE: 262144000 bytes (262 MB, 250 MiB) copied, 0,698174 s, 375 MB/s
READ:  262144000 bytes (262 MB, 250 MiB) copied, 0,268916 s, 975 MB/s
UNTAR: 8,970
MD5:   4,846
LS:    1,851
RM:    2,367

Changelog

vNEXT

• Add -longnamemax flag to -init (#499). Can be used to work around file or path length restrictions on online storage. See the man page for details.

v2.2.1, 2021-10-20

• Fix -force_owner only taking effect after 2 seconds (#609). This was a regression introduced in v2.0.
• MacOS: Fix build.bash failure with error date: illegal option -- - when SOURCE_DATE_EPOCH is set (#570)
• -init: suggest xchacha on CPUs without AES acceleration (commit)
• -info: add contentEncryption to output

v2.2.0, 2021-09-25

• -deterministic-names: new option for -init, both for reverse and forward mode. Disables file name randomisation & gocryptfs.diriv files (#151, #402, #592)
  • New feature flag! You need gocryptfs v2.2 or higher to mount a filesystem that uses this flag.
• -xchacha: new option for -init (forward mode only). Selects XChaCha20-Poly1305 for content encryption. Gives much better performance on CPUs without AES acceleration (#452).
  • New feature flag! You need gocryptfs v2.2 or higher to mount a filesystem that uses this flag.
  • Test with gocryptfs -speed what is fastest for your CPU, or read here
• Rewrite OpenSSL backend for better performance on AES-GCM-256-OpenSSL and XChaCha20-Poly1305-OpenSSL
• -serialize_reads: get rid of delay logic by taking advantage of the kernel flag FUSE_CAP_ASYNC_READ (go-fuse commit, gocryptfs commit)
• Make obsolete -devrandom flag a no-op (commit)
• Make -forcedecode flag a no-op (commit)
• Fix reverse mode sometimes remapping most inode numbers to >281474976710656 (commit)
• This version will be called v2.2.0 (instead of v2.2) to comply with the Go module versioning convention. Later releases will also follow the convention.

v2.1, 2021-08-18

• -fido2: do not request PIN on gocryptfs -init fixing FIDO_ERR_UNSUPPORTED_OPTION with YubiKey (#571)
• -sharedstorage: present stable inode numbers, fixing getcwd failures (#584)
• -badname: make it possible to access content of invalid file names (#568). Thanks @DerDonut!
• Implement recursive gocryptfs.diriv caching to fix exponential runtime with deep directories (commit])
• Implements fsync on directories (#587)
• -reverse: implement -one-file-system (#475)
• -reverse: allow exclude-all-but (#588)
  • Example: gocryptfs -reverse -exclude-wildcard '*' -exclude-wildcard '!/my-important-files' /home/user /mnt/user.encrypted
• macOS: Fix panic: using reserved ID 1 on ExFAT (#585)
• Switch to pflag cli parsing library to support flags and arguments in any order (#590)
• Drop support for Go 1.11 & Go 1.12 (commit)
  • You must have Go 1.13 or newer now

v2.0.1, 2021-06-07

• Fix symlink creation reporting the wrong size, causing git to report it as modified (#574)

v2.0, 2021-06-05

• Fix a few issues discovered by xfstests
  • Biggest change: rewrite SEEK_HOLE / SEEK_DATA logic (now emulates 4k alignment)

v2.0-beta4, 2021-05-15

• Make ACLs actually work (pass -acl to enable) (#536)
• Blocklist RENAME_EXCHANGE and RENAME_WHITEOUT (broken as discovered by fuse-xfstest/gocryptfs-2019-12)

v2.0-beta3, 2021-04-24

• MANPAGE: Split options into sections acc. to where they apply (#517)
• -idle: count cwd inside the mount as busy (#533)
• Make gocryptfs.diriv and gocryptfs.xxx.name files world-readable to make encrypted backups easier when mounting via /etc/fstab (#539)
• Make it work with MacFUSE v4.x (#524)
• Disable ACL encryption, it causes a lot of problems (#543, #536)
  • Old encrypted ACLs are reported by gocryptfs -fsck but otherwise ignored
  • This fixes inheritance, but does not yet enforce them correctly
• Include gocryptfs-xray in binary releases (#496)
• go-fuse: track most recent parent. This improves robustness when the filesystem is modified behind the back of gocryptfs. Helps both with -sharedstorage and also without. (commit 1, commit 2, #549)
• Add directory fd caching for 2x - 3x speed boost in small file ops compared to v2.0-beta2 (performance numbers)

v2.0-beta2, 2020-11-14

• Improve performance
• Fix GETATTR panic in reverse mode

v2.0-beta1, 2020-10-15

• Switch to the improved go-fuse v2 API
  • This is a big change, a lot of code has been reorganized or rewritten to fit the v2 API model.
  • Please test & report bugs
  • No changes to the on-disk format
  • File descriptor caching is not yet implemented, causing a slowdown. Caching will be implemented for v2.0 final.
• Add support for FIDO2 tokens (-fido2, #505)
• Add -encrypt-paths / -decrypt-paths functionality to gocryptfs-xray (#416)
• Accept multiple -passfiles (#288)
• Make -masterkey=stdin work together with -passwd (#461)
• Fix Unknown opcode 2016 crash on Google Cloud (go-fuse #276, gocryptfs commit ec74d1d)

v1.8.0, 2020-05-09

• Enable ACL support (#453)
  • Warning 2021-02-07: This feature is incomplete! Do not use ACLs before gocryptfs v2.0 final! Reading and writing ACLs works, but they are not enforced or inherited (#542)
• Ignore .nfsXXX temporary files (#367)
• Handle inode number collisions from multiple devices (#435)
• Drop -nonempty for fusermount3 (#440)
• Reverse mode: improve inode number mapping and max=1000000000000000000 limitation (#457)
• Enable --buildmode=pie (#460)
• Migrate from dep to Go Modules (commit cad711993)
• go mod: update dependencies (commit b23f77c)
• gocryptfs -speed: add XChaCha20-Poly1305-Go (#452)
• Respect GOMAXPROCS environment variable (commit ff210a06f
• Completely remove Trezor-related code (commit 1364b44ae356da31e24e5605fe73a307e9d6fb03)
  • Has been disabled since v1.7 due to issues a third-party module.
  • Please use FIDO2 instead (gocryptfs v2.0)

v1.7.1, 2019-10-06

• Support wild cards in reverse mode via --exclude-wildcard (#367). Thanks @ekalin!
• Create gocryptfs.diriv files with 0440 permissions to make it easier to share an encrypted folder via a network drive (#387). Note: as a security precaution, the owner must still manually chmod gocryptfs.conf 0440 to allow mounting.
• Allow the nofail option in /etc/fstab
• -passwd can now change the -scryptn parameter for existing filesystems (#400)
• Fix -idle unmounting the filesystem despite recent activity (#421)
• Fix a race condition related to inode number reuse (#363). It could be triggered by concurrently creating and deleting files and can lead to data loss in the affected file. This bug was found by the automated tests on Travis and was very hard to trigger locally.
• tests: use /var/tmp instead of /tmp by default (commit 8c4429)

v1.7, 2019-03-17

• Fix possible symlink race attacks in forward mode when using allow_other + plaintextnames
  • If you use both -allow_other and -plaintextnames, you should upgrade. Malicious users could trick gocryptfs into modifying files outside of CIPHERDIR, or reading files inside CIPHERDIR that they should not have access to.
  • If you do not use -plaintextnames (disabled per default), these attacks do not work as symlinks are encrypted.
  • Forward mode has been reworked to use the "*at" family of system calls everywhere (Openat/Unlinkat/Symlinkat/...).
  • As a result, gocryptfs may run slightly slower, as the caching logic has been replaced and is very simple at the moment.
  • The possibility for such attacks was found during an internal code review.
• Reverse mode: fix excluded, unaccessible files showing up in directory listings (#285, #286)
• gocryptfs-xray: add -aessiv flag for correctly parsing AES-SIV format files (#299)
• Ensure that standard fds 0,1,2 are always initialized (#320). Prevents trouble in the unlikely case that gocryptfs is called with stdin,stdout and/or stderr closed.
• -extpass now can be specified multiple times to support arguments containing spaces (#289)
• Drop Fstatat, Mkdirat, Syslinkat, Fchownat, Unlinkat, Renameat, Openat emulation of MacOS and instead use native functions (thanks @slackner !)
• Use Setreuid to robustly set the owner with allow_other (@slackner, (commit))
• Pack the rendered man page into the source code archive for user convenience (issue 355)
• Disable Trezor support again (commit 16fac26c57ba303bf60266d24c17f5243e5ea376)
  • Trezor support has been broken since Sept 2018 due to issues in a third-party module (#261)

v1.6.1, 2018-12-12

• Fix "Operation not supported" chmod errors on Go 1.11 (#271)

v1.6, 2018-08-18

• Add -e / -exclude option for reverse mode (#235, commit)
• Add support for the Trezor One HSM PR#247, thanks @xaionaro!
  • Use ./build.bash -tags enable_trezor to compile with Trezor support
  • Then, use gocryptfs -init -trezor to create a filesystem locked with a physical Trezor device.
  • Note 2021-01-31: Support was removed again in gocryptfs v1.7. Please use -fido2 in gocryptfs v2.0.
• Only print master key once, on init (#76, commit)
• Fall back to buffered IO even when passed O_DIRECT (commit)

v1.5, 2018-06-12

• Support extended attributes (xattr) in forward mode (#217). Older gocryptfs versions will ignore the extended attributes.
• Add -fsck function (#191)
• Fix clobbered timestamps on MacOS High Sierra (#229)
• Add -masterkey=stdin functionality (#218)
• Accept -dev/-nodev, suid/nosuid, -exec/-noexec, -ro/-rw flags to make mounting via /etc/fstab possible. Thanks @mahkoh! (#233, commit, commit)
• Fix a logger path issue on SuSE #225
• Stop printing the help text on a "flag provided but not defined" error (commit)

v1.4.4, 2018-03-18

• Overwrite secrets in memory with zeros as soon as possible (#211)
• Fix Getdents problems on i386 and mips64le (#197, #200)
• Make building with gccgo work (#201)
• MacOS: fix osxfuse: vnode changed generation / Error code -36 issue in go-fuse (#213, commit)
• Fix various test issues on MacOS

v1.4.3, 2018-01-21

• Fix several symlink race attacks in connection with reverse mode and allow_other. Thanks to @slackner for reporting and helping to fix the issues:
  • Fix symlink races in reverse mode (issue #165)
  • Fix symlink races in connection with -allow_other (issue #177)
• Fix problems with special names when using -plaintextnames (issue #174)
• Add -devrandom command-line option (commit)
• Add -sharedstorage command-line option (commit, issue #156)
• MacOS: let OSXFuse create the mountpoint if it does not exist (issue #194)

v1.4.2, 2017-11-01

• Add Gopkg.toml file for dep vendoring and reproducible builds (issue #142)
• MacOS: deal with .DS_Store files inside CIPHERDIR (issue #140)
• Reverse mode: fix ENOENT error affecting names exactly 176 bytes long (issue #143)
• Support kernels compiled with > 128 kiB FUSE request size (Synology NAS) (issue #145, commit)
• Fix a startup hang when $PATH contains the mountpoint (issue #146)

v1.4.1, 2017-08-21

• Use memory pools for buffer handling ( 3c6fe98, b2a23e9, 12c0101)
  • On my machine, this doubles the streaming read speed (see performance.txt)
• Implement and use the getdents(2) syscall for a more efficient OpenDir implementation (e50a6a5)
• Purge masterkey from memory as soon as possible (issue #137)
• Reverse mode: fix inode number collision between .name and .diriv files (d12aa57)
• Prevent the logger from holding stdout open (issue #130)
• MacOS: make testing without openssl work properly (ccf1a84)
• MacOS: specify a volume name (9f8e19b)
• Enable writing to write-only files (issue #125)

v1.4, 2017-06-20

• Switch to static binary releases
  • From gocryptfs v1.4, I will only release statically-built binaries. These support all Linux distributions but cannot use OpenSSL.
  • OpenSSL is still supported - just compile from source!
• Add -force_owner option to allow files to be presented as owned by a different user or group from the user running gocryptfs. Please see caveats and guidance in the man page before using this functionality.
• Increase open file limit to 4096 (#82).
• Implement path decryption via ctlsock (#84). Previously, decryption was only implemented for reverse mode. Now both normal and reverse mode support both decryption and encryption of paths via ctlsock.
• Add more specific exit codes for the most common failure modes, documented in CLI_ABI.md
• Reverse mode: make sure hard-linked files always return the same ciphertext (commit 9ecf2d1a)