% GOCRYPTFS(1)
% github.com/rfjakob
% May 2016

NAME
====

gocryptfs - mount an encrypted directory

SYNOPSIS
========

Initialize encrypted filesystem
-------------------------------

gocryptfs -init [OPTIONS] CIPHERDIR

Mount
-----

gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT

Change password
---------------

gocryptfs -passwd [OPTIONS] CIPHERDIR

DESCRIPTION
===========

Options:

**-allow_other**
:	By default, the Linux kernel prevents any other user (even root) to
access a mounted FUSE filesystem. Settings this option allows access for
other users, subject to file permission checking. Only works if
user_allow_other is set in /etc/fuse.conf. This option is equivalent to
"allow_other" plus "default_permissions" described in fuse(8).

**-config string**
:	Use specified config file instead of CIPHERDIR/gocryptfs.conf

**-cpuprofile string**
:	Write cpu profile to specified file

**-d, -debug**
:	Enable debug output

**-extpass string**
:	Use an external program (like ssh-askpass) for the password prompt.
The program should return the password on stdout, a trailing newline is
stripped by gocryptfs. Using something like "cat /mypassword.txt" allows
to mount the gocryptfs filesytem without user interaction.

**-f**
:	Stay in the foreground instead of forking away.

**-fusedebug**
:	Enable fuse library debug output

**-init**
:	Initialize encrypted directory

**-longnames**
:	Store names longer than 176 bytes in extra files (default true)
This flag is useful when recovering old gocryptfs filesystems using
"-masterkey". It is ignored (stays at the default) otherwise.

**-masterkey string**
:	Mount with explicit master key specified on the command line. This
option can be used to mount a gocryptfs filesystem without a config file.
Note that the command line, and with it the master key, is visible to
anybody on the machine who can execute "ps -auxwww".

**-memprofile string**
:	Write memory profile to specified file. This is useful when debugging
memory usage of gocryptfs.

**-nosyslog**
:	Diagnostic messages are normally redirected to syslog once gocryptfs
daemonizes. This option disables the redirection and messages will
continue be printed to stdout and stderr.

**-notifypid int**
:	Send USR1 to the specified process after successful mount. This is
used internally for daemonization.

**-openssl bool**
:	Use OpenSSL instead of built-in Go crypto (default "auto"). Using
built-in crypto is 4x slower unless your CPU has AES instructions and
you are using Go 1.6+. In mode "auto", gocrypts chooses the faster
option.

**-passwd**
:	Change password

**-plaintextnames**
:	Do not encrypt file names

**-q, -quiet**
:	Quiet - silence informational messages

**-ro**
:	Mount the filesystem read-only

**-scryptn int**
:	scrypt cost parameter logN. Setting this to a lower value speeds up
mounting but makes the password susceptible to brute-force attacks (default 16)

**-version**
:	Print version and exit. The output contains three fields seperated by
";". Example: "gocryptfs v0.12-2; go-fuse a4c968c; go1.6.2".
Field 1 is the gocryptfs version, field 2 is the version of the go-fuse
library, field 3 is the Go version that was used to compile the binary.

**-wpanic**
:	When encountering a warning, panic and exit immediately. This is
useful in regression testing.

**-zerokey**
:	Use all-zero dummy master key. This options is only intended for
automated testing as it does not provide any security.


EXAMPLES
========

Create and mount an encrypted filesystem:

mkdir /tmp/g1 /tmp/g2

gocryptfs -init /tmp/g1  
gocryptfs /tmp/g1 /tmp/g2


SEE ALSO
========
fuse(8)