Manage encrypted folders from Linux terminal
How to Encrypt Files and Folders on Linux easily with gocryptfs
The idea
Full-disk encryption is a good baseline. But it only protects you when your machine is off.
Once system is running and you’re logged in, your entire filesystem is decrypted and accessible — to you, to any process running under your user, and to anyone who gets a shell on your system. If your session is open, a stolen laptop, a rogue script, or a compromised application can read everything.
That’s where file-based encryption fills the gap.
gocryptfs is a FUSE-mounted, file-level encryption program. Because it encrypts at the file level rather than the entire disk, your files exist as individual encrypted objects on disk — and only become readable when you explicitly mount the encrypted directory with your password. When you’re done working, you unmount it. The data goes back to being unreadable noise.
The underlying cryptography is solid: AES-GCM for file contents, EME wide-block encryption for file names, and scrypt for password hashing. It was inspired by the older EncFS project, and was specifically designed to fix EncFS’s know n security weaknesses.
The practical upside is that gocryptfs is fast, lightweight, well-documented, and available in most major Linux distribution repositories. It doesn’t require root to mount. It works transparently with your existing tools — your text editor, your file manager, your scripts. You don’t change your workflow; you just add a lock to the things that actually need one.
In this guide, we’ll walk through installing gocryptfs, creating an encrypted vault, mounting and unmounting it, and a few best practices to avoid locking yourself out of your own data.
Installation
Ok now we are confident, we go on with installation and configuration
massmux@penguin:~$ sudo apt install gocryptfsNow, let’s create our first encrypted gocrypt folder
massmux@penguin:~$ mkdir secret-folder
massmux@penguin:~$ gocryptfs --init secret-folder
Choose a password for protecting your files.
Password:
Repeat:
Your master key is:
8f68fc74-9e35626d-36923ce7-9c7adb42-
31d456a8-90e4367e-d4dcfd2e-067c0ced
The masterkey here is very important: if you forget your password, the masterkey is the only way to recover your folder’s contents. So keep it in a secure place.
Now you can mount, for example on open-folder/ . So what happens? gocryptfs decrypts the encrypted folder and mounts it to open-folder/ where you can freely work in plain.
massmux@penguin:~$ mkdir open-folder
massmux@penguin:~$ gocryptfs secret-folder/ open-folder
Password:
Decrypting master key
DetectQuirks: Btrfs detected, forcing -noprealloc. See https://github.com/rfjakob/gocryptfs/issues/395 for why.
Filesystem mounted and ready.We can see that the encrypted folder is uncrypted and mounted
massmux@penguin:~$ df -m
Filesystem 1M-blocks Used Available Use% Mounted on
/dev/vdc 20480 2392 17690 12% /
none 1 1 1 1% /dev
/dev/vdc 20480 2392 17690 12% /dev/kvm
tmpfs 1 0 1 0% /dev/lxd
run 3236 1 3236 1% /dev/.cros_milestone
9p 3860 2 3859 1% /mnt/chromeos
tmpfs 3236 0 3236 0% /mnt/external
tmpfs 1 0 1 0% /dev/.lxd-mounts
devtmpfs 3235 0 3235 0% /dev/tty
tmpfs 3236 0 3236 0% /dev/shm
tmpfs 1295 1 1295 1% /run
tmpfs 5 0 5 0% /run/lock
tmpfs 4 0 4 0% /sys/fs/cgroup
tmpfs 648 1 648 1% /run/user/1000
/home/massmux/secret-folder 20480 2392 17690 12% /home/massmux/open-folderWhen we are ok with our work we can unmount the folder.
massmux@penguin:~$ umount /home/massmux/open-folder And now you can check if all is ok
massmux@penguin:~$ umount /home/massmux/open-folder
massmux@penguin:~$ ls open-folder/
massmux@penguin:~$ ls secret-folder/
Fes37GGPQvKs0h4H1AIlBILPWErpmm-Pn9hJuzba4B8 gocryptfs.conf gocryptfs.diriv K6t_24a34oeArDCGYjCdPKLAAXm9J0s4pXnRMRTcOf0As you can see open-folder/ (as it was just a mount point) is empty, while the secret-folder is populated with encrypted files as you expected. If you want, you can sync the encrypted folder to a cloud without risking anything.
Follow me on youtube, instagram, tiktok, X, nostr for more value added contents for free.