Current Date: Sun, Apr 11, 2021 3:41 AM

How to encrypt files using Gocryptfs

Encryption is a must at the moment, when security and privacy standards are no longer strictly followed by companies. If you are really concerned about the security of the data stored in the cloud, it's best to encrypt that data before uploading to the cloud.

Gocryptfs is an Overlay Filesystem (or OverlayFS for short - a file system implementation that allows virtual consolidation of multiple directories, while keeping their actual content separate) encrypted, written in Go, and built. on the FUSE go-fuse library. Unlike systems that encrypt entire drives, Gocryptfs encrypts individual files using AES-GCM (Galois Counter Mode) and encrypts filenames using AES-EME (ECB-Mix-ECB). Gocryptfs is also cross-platform compatible, meaning you can access your files on any platform.

In this tutorial, the Network Administrator will show you how to use Gocryptfs to encrypt files.

How to encrypt files with Gocryptfs on Linux, Mac and Windows

  • Install Gocryptfs [ul]
  • Linux
  • Mac
  • Windows
  • Use Gocryptfs to encrypt files
  • SiriKali - GUI tool for using Gocryptfs
  • [/ul]

    Install Gocryptfs


    Gocryptfs comes with a deb package and is available in the Debian and Ubuntu repositories, meaning you can easily install it using the command:

    sudo apt install gocryptfs

    Similar to Arch Linux, you can install Gocryptfs via Pacman:

    sudo pacman -S gocryptfs

    For other Linux distributions, you can download a binary file from the Github site. (Reference links:


    To use Gocryptfs in macOS, Homebrew must be installed first:

    /usr/bin/ruby -e "$(curl -fsSL"

    Then use the following command to install Gocryptfs:

    brew install gocryptfs


    Basically, Gocryptfs is not supported in Windows due to its lack of support for FUSE. However, cppcryptfs implements Gocryptfs in C ++ for Windows, so users can still get it to work in Windows. Follow the build instructions below:

    • You will need the following software (all available for free) to build cppcryptfs: Microsoft Visual Studio 2017 (Community Edition), Perl, Nasm, and Git (Git not required).
    • You will also need to install Dokany, download the source code for OpenSSL and RapidJSON from Github. Only OpenSSL needs to be built separately. Cppcryptfs only uses header files from RapidJSON, so there's no need to build RapidJSON.

    Microsoft Visual Studio 2017

    Microsoft Visual Studio 2017 is required first. Community edition of Microsoft Visual Studio 2017 will work and is completely free. If not, it can be replaced with Professional or Enterprise edition.

    Install Visual Studio so that C ++ applications can be compiled with the support of Microsoft Foundation Classes (MFC).

    When installing Visual Studio 2017, select "Desktop development with C ++" and "MFC and ATL support (x86 and x64)".

    How to encrypt files using Gocryptfs

    Perl and Nasm

    To build OpenSSL, you will also need Perl and Nasm.

    • For Perl, the OpenSSL documentation recommends ActiveState ActivePerl free.
    • Nasm (Netwide Assembler) available here. It is recommended to use the Nasm installer if you want to follow these instructions.

    Note: You should run the Nasm installer as a regular user. When prompted to run the installer again with admin rights, just press OK. This will cause nasm to be installed in the directory Appdata current user's location.


    Git is available here. Git bundled with cygwin should work as well. But there's no need for Git if you download the source zip files from Github and unzip them.

    This tutorial assumes that you are using Git. No Github account is required to use Git.


    Unless you want to develop or debug Dokany, you should only install one of Dokany's released binaries. here.

    Use DokanSetup_redist.exe Probably the safest option. Be sure to choose "Install development files" in the installer's options.


    Cppcryptfs uses OpenSSL to encrypt and decrypt data.

    You will need to build OpenSSL from its source code.

    Please refer to the file "INSTALL" from the OpenSSL distribution if the instructions didn't work.

    After installing Visual Studio, Nasm, Git and ActiveState perl, open a new Windows Command Prompt (cmd.exe).

    You will need to open a Command Prompt with administrator privileges to run the OpenSSL installation command. However, it is also possible to build it in a normal Command Prompt.

    To start a cmd admin in Windows 10, click the search icon (magnifying glass) at the bottom left of the screen and type "cmd". Then right-click "Command Prompt" and choose "Run as administrator".

    How to encrypt files using Gocryptfs

    Whether using Git or not, it's easier to put everything in C: \ git.

    First, create a directory C: \ git, into this directory and copy the OpenSSL source code from Github, then into the directory Openssl created by Git.

    c:  mkdir \git  cd \git  git clone  cd openssl

    Run this command to put Nasm in the path (assuming you used the Nasm installer).


    Then run the batch file that comes with Visual Studio, set the environment variables to compile from the command line.

    "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" amd64

    Use "x86" instead "amd64" If you're doing a 32-bit build.

    Vcvarsall.bat from Visual Studio 2017 must be run in the command shell cmd.exe of Windows, not a third party.

    Then run perl (ActiveState) to configure OpenSSL for the static build of Visual Studio AMD64 / X86_64.

    Use "VC-WIN32" instead "VC-WIN64A" if you're doing a 32-bit build.

    perl Configure VC-WIN64A no-shared

    Then run "nmake" to build OpenSSL.


    Then run "nmake install" to install it.

    nmake install

    Comeinand "nmake install" must be run from cmd admin. If you have built OpenSSL from a regular command prompt, then start a cmd admin, enter C: \ git \ openssl and definitely call vcvarsall.bat as shown above in cmd admin before running install nmake in it.


    RapidJSON is used to parse the configuration file gocryptfs.conf. Cppcryptfs only uses header files from RapidJSON, so there's no need to build your own RapidJSON.

    c:  cd \git  git clone


    First, clone cppcryptfs.

    c:  cd \git  git clone

    Access C: \ git \ cppcryptfs in Windows Explorer and double-click cppcryptfs.sln. Then change the build configuration to "Release" and the ultimate foundation "x64".

    How to encrypt files using Gocryptfs

    Into the Build> Build Solution or just press the key F7.

    There is no installation program for cppcryptfs. You will need to copy cppcryptfs.exe (For example: C: \ git \ cppcryptfs \ x64 \ Release \ cppcryptfs.exe) into some folders in the path or on the desktop.

    The 32-bit build should work. However, it has not been tested in a while.

    Whenever a new version is released, Dokany will install the header (include) files and libraries in a path, with the Dokany version number in the name. Therefore, if cppcryptfs supports the current version of Dokany, then you will need to change the path of the header and library files in cppcryptfs' Visual Studio project.

    To change the header file path in Visual Studio, right-click "cppcryptfs" in the Solution Explorer dashboard. Then choose "Properties" and moved to "C / C ++", then come "General". Then edit "Additional Include Directories " so that the current version of Dokany is in the path for the Dokany header files.

    How to encrypt files using Gocryptfs

    To change the path of the library go to "Linker", then choose "Input" and editing "Additional Dependencies".

    How to encrypt files using Gocryptfs

    Use Gocryptfs to encrypt files

    To start using Gocryptfs, you first need to create two empty folders:

    mkdir encrypted plain

    Next, initialize Gocryptfs:

    gocryptfs -init encrypted

    Finally, let's mount the directory "Encrypted" directory “Plain”.

    gocryptfs encrypted plain

    Now, any files put in the directory “Plain” will be encrypted and stored in folders "Encrypted".

    For example, if you want to store the encrypted file in Dropbox and mount it in a folder "Private" in the Home directory, you can run the following commands:

    cd  mkdir ~/Dropbox/encrypted ~/Private  gocryptfs -init ~/Dropbox/encrypted  gorcypted ~/Dropbox/encrypted ~/Private

    Each file is placed in the directory "Private" will be encrypted in the directory "Encrypted" and is uploaded to the Dropbox server.

    SiriKali - GUI tool for using Gocryptfs

    SiriKali is a GUI tool that can be used for encryption using Gocryptfs and other standards. SiriKali is available for Linux, macOS, and Windows, although the Windows version doesn't have support for Gocryptfs.

    1. Visit the SiriKali and website download the package appropriate for the system. The Linux package provides resources that you can extract and build. This bundle is also available with separate repositories for many distributions and can be found here.

    2. On Ubuntu, run the following command in Terminal:

    sudo sh -c "echo 'deb /' > /etc/apt/sources.list.d/home:obs_mhogomchungu.list"

    Once the commands have finished, you should run this code to let the system know you "trust" the key and allow the update.

    wget -nv -O Release.key  sudo apt-key add - < Release.key  sudo apt-get update  sudo apt-get install sirikali

    3. You will now see that SiriKali is installed and available in the menu. Please press to open.

    4. SiriKali opens a window (reminiscent of VeraCrypt) with options at the bottom of the screen, including Create Volume, Mount Volume, Refresh, Manage Favorites and finally Menu.

    How to encrypt files using Gocryptfs

    5. Now you can click Gocryptfs and create a drive.

    How to encrypt files using Gocryptfs

    6. Give an arbitrary name to the drive you just created and the part Key represents password. In addition, there are other options such as Password, Password and Key file and GNOME Wallet. Choose the option that suits your needs - just remember to use a password that's not easy to guess.

    How to encrypt files using Gocryptfs

    7. Once done, the newly created folder will appear in the SiriKali app. Click here to open the folder. This is where you can copy files you want to encrypt, just like any other file copy action.

    How to encrypt files using Gocryptfs

    8. When done, remember to click again and select "Unmount volume".

    Hope you are succesful!