aboutsummaryrefslogtreecommitdiff
path: root/Documentation/MANPAGE.md
blob: 3677b76857ce2452c7983aafef8dbf32560477c2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
% GOCRYPTFS(1)
% github.com/rfjakob
% Nov 2015

NAME
====

gocryptfs - mount an encrypted directory

SYNOPSIS
========

Initialize encrypted filesystem
-------------------------------

gocryptfs -init [OPTIONS] CIPHERDIR

Mount
-----

gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT

Change password
---------------

gocryptfs -passwd [OPTIONS] CIPHERDIR

DESCRIPTION
===========

Options:

**-config string**
:	Use specified config file instead of CIPHERDIR/gocryptfs.conf

**-cpuprofile string**
:	Write cpu profile to specified file

**-debug**
:	Enable debug output

**-diriv**
:	Use per-directory file name IV (default true)

**-emenames**
:	Use EME filename encryption (default true). This option implies diriv.

**-extpass string**
:	Use an external program (like ssh-askpass) for the password prompt.
The program should return the password on stdout, a trailing newline is
stripped by gocryptfs. Using something like "cat /mypassword.txt" allows
to mount the gocryptfs filesytem without user interaction.

**-f**
:	Stay in the foreground instead of forking away.

**-fusedebug**
:	Enable fuse library debug output

**-gcmiv128**
:	Use an 128-bit IV for GCM encryption instead of Go's default of
96 bits (default true). This pushes back the birthday bound for IV
collisions far enough to make it irrelevant.

**-init**
:	Initialize encrypted directory

**-masterkey string**
:	Mount with explicit master key specified on the command line. This
option can be used to mount a gocryptfs filesystem without a config file.
Note that the command line, and with it the master key, is visible to
anybody on the machine who can execute "ps -auxwww".

**-notifypid int**
:	Send USR1 to the specified process after successful mount. This is
used internally for daemonization.

**-openssl bool**
:	Use OpenSSL instead of built-in Go crypto (default true). Using
built-in crypto is 4x slower.

**-passwd**
:	Change password

**-plaintextnames**
:	Do not encrypt file names

**-q**
:	Quiet - silence informational messages

**-scryptn int**
:	scrypt cost parameter logN. Setting this to a lower value speeds up
mounting but makes the password susceptible to brute-force attacks (default 16)

**-version**
:	Print version and exit

**-zerokey**
:	Use all-zero dummy master key. This options is only intended for
automated testing as it does not provide any security.


EXAMPLES
========

Create and mount an encrypted filesystem:

mkdir /tmp/g1 /tmp/g2

gocryptfs -init /tmp/g1  
gocryptfs /tmp/g1 /tmp/g2