Gocryptfs-Sapelo2: Difference between revisions

From Research Computing Center Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 38: Line 38:
</pre>
</pre>


====2. Create two folders====
====2. Create two directories====


*data_enc, which will store the encrypted files.
*data_enc, which will store the encrypted files.
Line 44: Line 44:
*data_unenc, which will present an unencrypted view of the files, when needed.
*data_unenc, which will present an unencrypted view of the files, when needed.


Sample commands to do that in your /scratch dir:
These two directories can be created in your home dir (/home/$USER), in your group's /work dir, or in your /scratch dir.
When choosing the directory to use, please recall that users' home dirs and groups' /work dirs have quotas, and that files in /scratch are subject to the automatic purge policy. Please see 
https://wiki.gacrc.uga.edu/wiki/Disk_Storage.
 
Sample commands to create the directories in your group's /work/abclab (change the name of this path to reflect your own group name, instead of "abclab") dir:
<pre class="gcommand">
<pre class="gcommand">
$ cd /scratch/$USER
$ mkdir /work/abclab/$USER
$ cd /work/abclab/$USER
$ mkdir data_enc
$ mkdir data_enc
$ mkdir data_unenc
$ mkdir data_unenc
</pre>
</pre>


Note that the $ (dolar sign) in the sample above represents the shell prompt and are not part of the commands to use.
Note that the $ (dollar sign) in the sample above represents the shell prompt and it is not part of the commands to use.


====3. Initialize the data_enc directory with a password====
====3. Initialize the data_enc directory with a password====


<pre class="gcommand">
<pre class="gcommand">
$ cd /scratch/$USER/
$ cd /work/abclab/$USER/
$ gocryptfs -init data_enc
$ gocryptfs -init data_enc
Choose a password for protecting your files.
Choose a password for protecting your files.
Line 74: Line 79:
</pre>
</pre>


When you run this initialization step, gocryptfs provides us with the master key that can be used to restore access to the data files, especially useful in case the password is lost.
When you run this initialization step, gocryptfs provides you with the master key that can be used to restore access to the data files, especially useful in case the password is lost.


You should keep the master key safe, never store it unencrypted on the platform itself.
You should keep the master key safe, never store it unencrypted on the platform itself. Please note that we (GACRC staff) have no way to recover your password or your master key.  


After initialization, the data_enc directory contains two internal configuration files:
After initialization, the data_enc directory contains two internal configuration files:
Line 92: Line 97:


<pre class="gcommand">
<pre class="gcommand">
$ cd /scratch/$USER
$ cd /work/abclab/$USER
$ gocryptfs data_enc data_unenc
$ gocryptfs data_enc data_unenc
Password:  
Password:  
Line 100: Line 105:
</pre>
</pre>


When prompted for the "password", enter the password that you choose when you initialized the data_enc directory (in step 3 above).
When prompted for the "password", enter the password that you chose when you initialized the data_enc directory (in step 3 above).


====5. Add files to the data_unenc directory====
====5. Add files to the data_unenc directory====
Line 113: Line 118:


<pre class="gcommand">
<pre class="gcommand">
$ cd /scratch/$USER
$ cd /work/abclab/$USER
$ echo "Content of test file" > data_unenc/testfile.txt
$ echo "Content of test file" > data_unenc/testfile.txt
$ ls data_unenc
$ ls data_unenc
Line 127: Line 132:
====6. Unmount the data_unenc directory====
====6. Unmount the data_unenc directory====


At the end of your processing,unmount the encrypted overlay, such that the unencrypted view of the data in data_unenc is closed and not visible in the regular filesystem.
At the end of your processing, unmount the encrypted overlay, such that the unencrypted view of the data in data_unenc is closed and not visible in the regular filesystem.


Note that you should always ensure that this happens before your job reservation expires.
Note that you should always ensure that this happens before your job reservation ends (or before it runs out of walltime).
<pre class="gcommand">
<pre class="gcommand">
$ fusermount -u data_unenc
$ fusermount -u data_unenc
Line 139: Line 144:
====Other important information====
====Other important information====


1. Data stored in an encrypted directory should not be used by multiple users at the same time.  
1. Data stored in an encrypted directory should not be used by multiple users at the same time. We recommend that each user who needs to use an encrypted filesystem goes through this process to set up a space to use (that is not shared with any other user).


2. You can change the password using the -passwd option to gocryptfs (note that the master key does not change). E.g. <code>gocryptfs -passwd data_enc</code>.
2. You can change the password using the -passwd option to gocryptfs (note that the master key does not change). E.g. <code>gocryptfs -passwd data_enc</code>.

Revision as of 09:28, 21 March 2025

Category

Other

Program On

Sapelo2

Version

2.5.2

Author / Distributor

Please see https://nuetzlich.net/gocryptfs/

Description

Gocryptfs is an implementation of an encryption overlay filesystem, which uses file-based encryption that is implemented as a mountable FUSE filesystem.

For more details see

Running Program

To use gocryptfs on Sapelo2, you need to do the following steps:

1. Load the gocryptfs module

ml gocryptfs/2.5.2

2. Create two directories

  • data_enc, which will store the encrypted files.
  • data_unenc, which will present an unencrypted view of the files, when needed.

These two directories can be created in your home dir (/home/$USER), in your group's /work dir, or in your /scratch dir. When choosing the directory to use, please recall that users' home dirs and groups' /work dirs have quotas, and that files in /scratch are subject to the automatic purge policy. Please see 

https://wiki.gacrc.uga.edu/wiki/Disk_Storage.

Sample commands to create the directories in your group's /work/abclab (change the name of this path to reflect your own group name, instead of "abclab") dir: 

$ mkdir /work/abclab/$USER
$ cd /work/abclab/$USER
$ mkdir data_enc
$ mkdir data_unenc

Note that the $ (dollar sign) in the sample above represents the shell prompt and it is not part of the commands to use.

3. Initialize the data_enc directory with a password

$ cd /work/abclab/$USER/
$ gocryptfs -init data_enc
Choose a password for protecting your files.
Password: 
Repeat: 

Your master key is:

    3d67df93-e68eaddf-ca1f8da7-847b2fd1-
    d63f3366-7858b60e-de5acb56-99a388e0

If the gocryptfs.conf file becomes corrupted or you ever forget your password,
there is only one hope for recovery: The master key. Print it to a piece of
paper and store it in a drawer. This message is only printed once.
The gocryptfs filesystem has been created successfully.
You can now mount it using: gocryptfs dir.encrypted MOUNTPOINT

When you run this initialization step, gocryptfs provides you with the master key that can be used to restore access to the data files, especially useful in case the password is lost.

You should keep the master key safe, never store it unencrypted on the platform itself. Please note that we (GACRC staff) have no way to recover your password or your master key.

After initialization, the data_enc directory contains two internal configuration files:

  • gocryptfs.conf is the global configuration for the encrypted directory
  • gocryptfs.diriv is created per-directory for encryption of file names

Note that you should never modify (any) files within the data_enc directory.


4. Mount the data_enc directory into the data_unenc directory

To be able to read and write files, the data_enc storage needs to be mounted into the data_unenc directory. 

$ cd /work/abclab/$USER
$ gocryptfs data_enc data_unenc
Password: 
Decrypting master key
InoMap: opening spillMap for inomap.QIno{namespaceData:inomap.namespaceData{Dev:0xdd2a3a22, Tag:0x0}, Ino:0x24001749000989f}
Filesystem mounted and ready.

When prompted for the "password", enter the password that you chose when you initialized the data_enc directory (in step 3 above).

5. Add files to the data_unenc directory

All your processing (new file/folder creation, modification and transfers) will happen in the data_unenc directory.

Once the data_enc directory is mounted in the data_unenc directory we can create files in the latter:

  • any folder/file created in the unencrypted data_unenc directory will have a 1:1 correspondent in the encrypted data_enc directory
  • the plain text testfile.txt file is stored in encrypted format as ARGZF6e9kCxhMYHD8kP-fQ in the underlying data_enc directory (file name metadata is encrypted as well)
  • the same permissions applied on testfile.txt are also set for its encrypted correspondent file
$ cd /work/abclab/$USER
$ echo "Content of test file" > data_unenc/testfile.txt
$ ls data_unenc
testfile.txt
$ ls data_enc
ARGZF6e9kCxhMYHD8kP-fQ  gocryptfs.conf  gocryptfs.diriv
$ file data_enc/*
data_enc/ARGZF6e9kCxhMYHD8kP-fQ: data
data_enc/gocryptfs.conf:         ASCII text
data_enc/gocryptfs.diriv:        data

6. Unmount the data_unenc directory

At the end of your processing, unmount the encrypted overlay, such that the unencrypted view of the data in data_unenc is closed and not visible in the regular filesystem.

Note that you should always ensure that this happens before your job reservation ends (or before it runs out of walltime). 

$ fusermount -u data_unenc
$ ls data_unenc
$ ls data_enc
ARGZF6e9kCxhMYHD8kP-fQ  gocryptfs.conf  gocryptfs.diriv

Other important information

1. Data stored in an encrypted directory should not be used by multiple users at the same time. We recommend that each user who needs to use an encrypted filesystem goes through this process to set up a space to use (that is not shared with any other user).

2. You can change the password using the -passwd option to gocryptfs (note that the master key does not change). E.g. gocryptfs -passwd data_enc.

Documentation

$ gocryptfs -h
gocryptfs v2.5.2 without_openssl; go-fuse v2.5.0; 2025-03-19 go1.23.5 linux/amd64

Usage: gocryptfs -init|-passwd|-info [OPTIONS] CIPHERDIR
  or   gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT

Common Options (use -hh to show all):
  -aessiv            Use AES-SIV encryption (with -init)
  -allow_other       Allow other users to access the mount
  -i, -idle          Unmount automatically after specified idle duration
  -config            Custom path to config file
  -ctlsock           Create control socket at location
  -extpass           Call external program to prompt for the password
  -fg                Stay in the foreground
  -fsck              Check filesystem integrity
  -fusedebug         Debug FUSE calls
  -h, -help          This short help text
  -hh                Long help text with all options
  -init              Initialize encrypted directory
  -info              Display information about encrypted directory
  -masterkey         Mount with explicit master key instead of password
  -nonempty          Allow mounting over non-empty directory
  -nosyslog          Do not redirect log messages to syslog
  -passfile          Read password from plain text file(s)
  -passwd            Change password
  -plaintextnames    Do not encrypt file names (with -init)
  -q, -quiet         Silence informational messages
  -reverse           Enable reverse mode
  -ro                Mount read-only
  -speed             Run crypto speed test
  -version           Print version information
  --                 Stop option parsing

Back to Top

Installation

Code downloaded from https://github.com/rfjakob/gocryptfs

System

64-bit Linux

Retrieved from "https://wiki.gacrc.uga.edu/index.php?title=Gocryptfs-Sapelo2&oldid=22337"