1cryfs(1)                    General Commands Manual                   cryfs(1)
2
3
4

NAME

6       cryfs - cryptographic filesystem for the cloud
7

SYNOPSIS

9       cryfs [-c file] [-f] [options] basedir mountpoint
10       cryfs --help|--version|--show-ciphers
11

DESCRIPTION

13       CryFS encrypts your files, so you can safely store them anywhere.
14
15       The  goal  of  CryFS  is  not only to keep file contents, but also file
16       sizes, metadata and directory structure confidential.  CryFS  uses  en‐
17       crypted  same-size  blocks  to  store both the files themselves and the
18       block's relations to another.  These blocks are  stored  as  individual
19       files  in the base directory, which can then be synchronized with cloud
20       services such as Dropbox.
21
22       The blocks are encrypted using a random key, which is stored in a  con‐
23       figuration  file  encrypted  by  the user's passphrase.  By default, it
24       will be stored together with the data in the base  directory,  but  you
25       can  choose a different location if you do not want it in your cloud or
26       when using a weak passphrase.
27

USING CRYFS

29   Selecting base and mount directories
30       While you can access your files through your mount directory, CryFS ac‐
31       tually places them in your base directory after encrypting.  CryFS will
32       encrypt and decrypt your files 'on the fly' as they  are  accessed,  so
33       files will never be stored on the disk in unencrypted form.
34
35       You  can choose any empty directory as your base, but your mount direc‐
36       tory should be outside of any cloud storage, as your cloud may  try  to
37       sync your (temporarily mounted) unencrypted files as well.
38
39   Setup and usage of your encrypted directory
40       Creating  and mounting your encrypted storage use the same command-line
41       syntax:
42              cryfs basedir mountpoint
43
44       If CryFS detects an encrypted storage in the given base directory,  you
45       will  be  asked  for  the passphrase to unlock and mount it. Otherwise,
46       CryFS will help you with creating one, just follow  the  on-screen  in‐
47       structions.
48
49       After  you  are  done  working  with your encrypted files, unmount your
50       storage with the command
51              cryfs-unmount mountpoint
52
53   Changing your passphrase
54       As the encryption key to your CryFS storage is stored in your  configu‐
55       ration  file,  it  would be possible to re-encrypt it using a different
56       passphrase (although this feature has not been implemented yet).
57
58       However, this does not change the actual encryption key of  your  stor‐
59       age,  so  someone  with  access to the old passphrase and configuration
60       file (for example through the file history of your cloud or  your  file
61       system)  could  still  access  your files, even those created after the
62       password change.
63
64       For this reason, the recommended way to change your  passphrase  is  to
65       create  a new CryFS storage with the new passphrase and move your files
66       from the old to the new one.
67

OPTIONS

69   Getting help
70       -h, --help
71              Show a help message containing short descriptions  for  all  op‐
72              tions.
73
74       --show-ciphers
75              Show a list of all supported encryption ciphers.
76
77       --version
78              Show the CryFS version number.
79
80   Encryption parameters
81       --blocksize arg
82              Set the block size to arg bytes. Defaults to 32768.
83
84              A  higher  block  size  may help reducing the file count in your
85              base directory (especially when storing large files),  but  will
86              also waste more space when storing smaller files.
87
88       --cipher arg
89              Use   arg   as  the  cipher  for  the  encryption.  Defaults  to
90              aes-256-gcm.
91
92       -c file, --config file
93              Use file as configuration file for this CryFS storage instead of
94              basedir/cryfs.config
95
96   General options
97       -f, --foreground
98              Run CryFS in the foreground. Stop using CTRL-C.
99
100       --allow-filesystem-upgrade
101              Allow  upgrading  the  file system if it was created with an old
102              CryFS version. After the upgrade, older CryFS versions might not
103              be able to use the file system anymore.
104
105       --allow-integrity-violations
106              By default, CryFS checks for integrity violations, i.e. will no‐
107              tice if an adversary modified or rolled back  the  file  system.
108              Using  this flag, you can disable the integrity checks. This can
109              for example be helpful for loading an old snapshot of your  file
110              system without CryFS thinking an adversary rolled it back.
111
112       --allow-replaced-filesystem
113              By  default,  CryFS  remembers  file systems it has seen in this
114              base directory and checks that it didn't get replaced by an  at‐
115              tacker  with  an  entirely  different file system since the last
116              time it was loaded. However, if you do want to replace the  file
117              system  with an entirely new one, you can pass in this option to
118              disable the check.
119
120       --create-missing-basedir
121              Creates the base directory even if there is  no  directory  cur‐
122              rently there, skipping the normal confirmation message to create
123              it later.
124
125       --create-missing-mountpoint
126              Creates the mountpoint even if there is no  directory  currently
127              there,  skipping  the  normal  confirmation message to create it
128              later.
129
130       --missing-block-is-integrity-violation=true
131              When CryFS encounters a missing ciphertext block, it cannot can‐
132              not (yet) know if it was deleted by an unauthorized adversary or
133              by a second authorized client. This is one of  the  restrictions
134              of  the integrity checks currently in place. You can enable this
135              flag to treat missing ciphertext blocks as integrity violations,
136              but then your file system will not be usable by multiple clients
137              anymore. By default, this flag is disabled.
138
139       --logfile file
140              Write status information to file. If no logfile is given,  CryFS
141              will  write  them  to syslog in background mode, or to stdout in
142              foreground mode.
143
144       --unmount-idle arg
145              Unmount automatically after arg minutes of inactivity.
146

FUSE Options

148       -o option, --fuse-option option
149              Pass through options to the FUSE filesystem driver.
150
151
152       For example:
153
154       -o allow_other
155              This option overrides the security measure restricting file  ac‐
156              cess to the filesystem owner, so that all users (including root)
157              can access the files.
158
159       -o allow_root
160              This option is similar to allow_other but file access is limited
161              to  the  filesystem owner and root.  This option and allow_other
162              are mutually exclusive.
163

ENVIRONMENT

165       CRYFS_FRONTEND=noninteractive
166              With this option set, CryFS will only  ask  for  the  encryption
167              passphrase  once.  Instead of asking the user for parameters not
168              specified on the command line, it will just use the default val‐
169              ues. CryFS will also not ask you to confirm your passphrase when
170              creating a new CryFS storage.
171
172              Set this environment variable when automating CryFS using exter‐
173              nal tools or shell scripts.
174
175       CRYFS_NO_UPDATE_CHECK=true
176              By  default,  CryFS  connects to the internet to check for known
177              security vulnerabilities and new versions. This option  disables
178              this.
179
180       CRYFS_LOCAL_STATE_DIR=[path]
181              Sets  the  directory cryfs uses to store local state. This local
182              state is used to recognize known file systems and run  integrity
183              checks  (i.e.  check  that  they haven't been modified by an at‐
184              tacker.  Default value: ${HOME}/.cryfs
185

SEE ALSO

187       mount.fuse(1), fusermount(1)
188
189       For   more   information   about   the   design   of    CryFS,    visit
190       https://www.cryfs.org
191
192       Visit  the development repository at https://github.com/cryfs/cryfs for
193       the source code and the full list of contributors to CryFS.
194

AUTHORS

196       CryFS was created by Sebastian Messmer and contributors.  This man page
197       was written by Maximilian Wende.
198
199
200
201                                                                      cryfs(1)
Impressum