1cryfs(1) General Commands Manual cryfs(1)
2
6 cryfs - cryptographic filesystem for the cloud
7
9 cryfs [-c file] [-f] [options] basedir mountpoint
10 cryfs --help|--version|--show-ciphers
11
13 CryFS encrypts your files, so you can safely store them anywhere.
14 The goal of CryFS is not only to keep file contents, but also file
16 sizes, metadata and directory structure confidential. CryFS uses en‐
17 crypted same-size blocks to store both the files themselves and the
18 block's relations to another. These blocks are stored as individual
19 files in the base directory, which can then be synchronized with cloud
20 services such as Dropbox.
21 The blocks are encrypted using a random key, which is stored in a con‐
23 figuration file encrypted by the user's passphrase. By default, it
24 will be stored together with the data in the base directory, but you
25 can choose a different location if you do not want it in your cloud or
26 when using a weak passphrase.
27
29 Selecting base and mount directories
30 While you can access your files through your mount directory, CryFS ac‐
31 tually places them in your base directory after encrypting. CryFS will
32 encrypt and decrypt your files 'on the fly' as they are accessed, so
33 files will never be stored on the disk in unencrypted form.
34 You can choose any empty directory as your base, but your mount direc‐
36 tory should be outside of any cloud storage, as your cloud may try to
37 sync your (temporarily mounted) unencrypted files as well.
38 Setup and usage of your encrypted directory
40 Creating and mounting your encrypted storage use the same command-line
41 syntax:
42 cryfs basedir mountpoint
43 If CryFS detects an encrypted storage in the given base directory, you
45 will be asked for the passphrase to unlock and mount it. Otherwise,
46 CryFS will help you with creating one, just follow the on-screen in‐
47 structions.
48 After you are done working with your encrypted files, unmount your
50 storage with the command
51 cryfs-unmount mountpoint
52 Changing your passphrase
54 As the encryption key to your CryFS storage is stored in your configu‐
55 ration file, it would be possible to re-encrypt it using a different
56 passphrase (although this feature has not been implemented yet).
57 However, this does not change the actual encryption key of your stor‐
59 age, so someone with access to the old passphrase and configuration
60 file (for example through the file history of your cloud or your file
61 system) could still access your files, even those created after the
62 password change.
63 For this reason, the recommended way to change your passphrase is to
65 create a new CryFS storage with the new passphrase and move your files
66 from the old to the new one.
67
69 Getting help
70 -h, --help
71 Show a help message containing short descriptions for all op‐
72 tions.
73 --show-ciphers
75 Show a list of all supported encryption ciphers.
76 --version
78 Show the CryFS version number.
79 Encryption parameters
81 --blocksize arg
82 Set the block size to arg bytes. Defaults to 32768.
83 A higher block size may help reducing the file count in your
85 base directory (especially when storing large files), but will
86 also waste more space when storing smaller files.
87 --cipher arg
89 Use arg as the cipher for the encryption. Defaults to
90 aes-256-gcm.
91 -c file, --config file
93 Use file as configuration file for this CryFS storage instead of
94 basedir/cryfs.config
95 General options
97 -f, --foreground
98 Run CryFS in the foreground. Stop using CTRL-C.
99 --allow-filesystem-upgrade
101 Allow upgrading the file system if it was created with an old
102 CryFS version. After the upgrade, older CryFS versions might not
103 be able to use the file system anymore.
104 --allow-integrity-violations
106 By default, CryFS checks for integrity violations, i.e. will no‐
107 tice if an adversary modified or rolled back the file system.
108 Using this flag, you can disable the integrity checks. This can
109 for example be helpful for loading an old snapshot of your file
110 system without CryFS thinking an adversary rolled it back.
111 --allow-replaced-filesystem
113 By default, CryFS remembers file systems it has seen in this
114 base directory and checks that it didn't get replaced by an at‐
115 tacker with an entirely different file system since the last
116 time it was loaded. However, if you do want to replace the file
117 system with an entirely new one, you can pass in this option to
118 disable the check.
119 --create-missing-basedir
121 Creates the base directory even if there is no directory cur‐
122 rently there, skipping the normal confirmation message to create
123 it later.
124 --create-missing-mountpoint
126 Creates the mountpoint even if there is no directory currently
127 there, skipping the normal confirmation message to create it
128 later.
129 --missing-block-is-integrity-violation=true
131 When CryFS encounters a missing ciphertext block, it cannot can‐
132 not (yet) know if it was deleted by an unauthorized adversary or
133 by a second authorized client. This is one of the restrictions
134 of the integrity checks currently in place. You can enable this
135 flag to treat missing ciphertext blocks as integrity violations,
136 but then your file system will not be usable by multiple clients
137 anymore. By default, this flag is disabled.
138 --logfile file
140 Write status information to file. If no logfile is given, CryFS
141 will write them to syslog in background mode, or to stdout in
142 foreground mode.
143 --unmount-idle arg
145 Unmount automatically after arg minutes of inactivity.
146
148 -o option, --fuse-option option
149 Pass through options to the FUSE filesystem driver.
150 For example:
153 -o allow_other
155 This option overrides the security measure restricting file ac‐
156 cess to the filesystem owner, so that all users (including root)
157 can access the files.
158 -o allow_root
160 This option is similar to allow_other but file access is limited
161 to the filesystem owner and root. This option and allow_other
162 are mutually exclusive.
163
165 CRYFS_FRONTEND=noninteractive
166 With this option set, CryFS will only ask for the encryption
167 passphrase once. Instead of asking the user for parameters not
168 specified on the command line, it will just use the default val‐
169 ues. CryFS will also not ask you to confirm your passphrase when
170 creating a new CryFS storage.
171 Set this environment variable when automating CryFS using exter‐
173 nal tools or shell scripts.
174 CRYFS_NO_UPDATE_CHECK=true
176 By default, CryFS connects to the internet to check for known
177 security vulnerabilities and new versions. This option disables
178 this.
179 CRYFS_LOCAL_STATE_DIR=[path]
181 Sets the directory cryfs uses to store local state. This local
182 state is used to recognize known file systems and run integrity
183 checks (i.e. check that they haven't been modified by an at‐
184 tacker. Default value: ${HOME}/.cryfs
185
187 mount.fuse(1), fusermount(1)
188 For more information about the design of CryFS, visit
190 https://www.cryfs.org
191 Visit the development repository at https://github.com/cryfs/cryfs for
193 the source code and the full list of contributors to CryFS.
194
196 CryFS was created by Sebastian Messmer and contributors. This man page
197 was written by Maximilian Wende.
198 cryfs(1)