Gocryptfs-Sapelo2: Difference between revisions

Category

Other

Program On

Sapelo2

Version

2.5.2

Author / Distributor

Please see https://nuetzlich.net/gocryptfs/

Description

Gocryptfs is an implementation of an encryption overlay filesystem, which uses file-based encryption that is implemented as a mountable FUSE filesystem.

For more details see

• gocryptfs homepage

• gocryptfs source code

• Security design documentation

Running Program

To use gocryptfs on Sapelo2, you need to do the following steps:

1. Load the gocryptfs module with

ml gocryptfs/2.5.2

2. Create two folders

• data_enc, which will store the encrypted files.

• data_unenc, which will present an unencrypted view of the files, when needed.

Sample commands to do that in your /scratch dir:

$ cd /scratch/$USER
$ mkdir data_enc
$ mkdir data_unenc

Note that the $ (dolar sign) in the sample above represents the shell prompt and are not part of the commands to use.

3. Initialize the data_enc directory with a password

$ cd /scratch/$USER/
$ gocryptfs -init data_enc
Choose a password for protecting your files.
Password: 
Repeat: 

Your master key is:

    3d67df93-e68eaddf-ca1f8da7-847b2fd1-
    d63f3366-7858b60e-de5acb56-99a388e0

If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer. This message is only printed once.
The gocryptfs filesystem has been created successfully.
You can now mount it using: gocryptfs dir.encrypted MOUNTPOINT

When you run this initialization step, gocryptfs provides us with the master key that can be used to restore access to the data files, especially useful in case the password is lost.

You should keep the master key safe, never store it unencrypted on the platform itself.

After initialization, the data_enc directory contains two internal configuration files:

• gocryptfs.conf is the global configuration for the encrypted directory

• gocryptfs.diriv is created per-directory for encryption of file names

Note that you should never modify (any) files within the data_enc directory.

4. Mount the data_enc directory into the data_unenc directory

To be able to read and write files, the data_enc storage needs to be mounted into the data_unenc directory.

$ cd /scratch/$USER
$ gocryptfs data_enc data_unenc
Password: 
Decrypting master key
InoMap: opening spillMap for inomap.QIno{namespaceData:inomap.namespaceData{Dev:0xdd2a3a22, Tag:0x0}, Ino:0x24001749000989f}
Filesystem mounted and ready.

When prompted for the "password", enter the password that you choose when you initialized the data_enc directory (in step 3 above).

5. Add files to the data_unenc directory

All your processing (new file/folder creation, modification and transfers) will happen in the data_unenc directory.

Once the data_enc directory is mounted in the data_unenc directory we can create files in the latter:

• any folder/file created in the unencrypted data_unenc directory will have a 1:1 correspondent in the encrypted data_enc directory
• the plain text testfile.txt file is stored in encrypted format as ARGZF6e9kCxhMYHD8kP-fQ in the underlying data_enc directory (file name metadata is encrypted as well)
• the same permissions applied on testfile.txt are also set for its encrypted correspondent file

$ cd /scratch/$USER
$ echo "Content of test file" > data_unenc/testfile.txt
$ ls data_unenc
testfile.txt
$ ls data_enc
ARGZF6e9kCxhMYHD8kP-fQ  gocryptfs.conf  gocryptfs.diriv
$ file data_enc/*
data_enc/ARGZF6e9kCxhMYHD8kP-fQ: data
data_enc/gocryptfs.conf:         ASCII text
data_enc/gocryptfs.diriv:        data

6. Unmount the data_unenc directory

At the end of your processing,unmount the encrypted overlay, such that the unencrypted view of the data in data_unenc is closed and not visible in the regular filesystem.

Note that you should always ensure that this happens before your job reservation expires.

$ fusermount -u data_unenc
$ ls data_unenc
$ ls data_enc
ARGZF6e9kCxhMYHD8kP-fQ  gocryptfs.conf  gocryptfs.diriv

Documentation

$ gocryptfs -h
gocryptfs v2.5.2 without_openssl; go-fuse v2.5.0; 2025-03-19 go1.23.5 linux/amd64

Usage: gocryptfs -init|-passwd|-info [OPTIONS] CIPHERDIR
  or   gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT

Common Options (use -hh to show all):
  -aessiv            Use AES-SIV encryption (with -init)
  -allow_other       Allow other users to access the mount
  -i, -idle          Unmount automatically after specified idle duration
  -config            Custom path to config file
  -ctlsock           Create control socket at location
  -extpass           Call external program to prompt for the password
  -fg                Stay in the foreground
  -fsck              Check filesystem integrity
  -fusedebug         Debug FUSE calls
  -h, -help          This short help text
  -hh                Long help text with all options
  -init              Initialize encrypted directory
  -info              Display information about encrypted directory
  -masterkey         Mount with explicit master key instead of password
  -nonempty          Allow mounting over non-empty directory
  -nosyslog          Do not redirect log messages to syslog
  -passfile          Read password from plain text file(s)
  -passwd            Change password
  -plaintextnames    Do not encrypt file names (with -init)
  -q, -quiet         Silence informational messages
  -reverse           Enable reverse mode
  -ro                Mount read-only
  -speed             Run crypto speed test
  -version           Print version information
  --                 Stop option parsing

Back to Top

Installation

Code downloaded from https://github.com/rfjakob/gocryptfs

System

64-bit Linux