Skip to content

How to encrypt files on your Linux servers with gocryptfs

Looking for an easy to use encryption tool to protect data on your Linux servers? Jack Wallen shows you how to install and use gocryptfs to serve that very purpose.


Image: Microsoft

Your Linux servers probably hold very precious company and/or client data. If that’s the case, what do you do to protect it? Yes, you’ve probably spent an inordinate amount of time hardening your network and maybe you’ve had a good amount of success at keeping intruders away. But, eventually someone will get in. When they do, is that data protected?

Why not give that data a layer of encryption? With Linux powering your data center servers, there are a number of tools that can help you achieve this. One such tool is gocryptfs. The gocryptfs tool allows you to encrypt only the directories you need. It’s lightweight, user-friendly, and secure. Better still, gocryptfs allows you to move those encrypted directories from one system to another. As long as you have the encryption passphrase, those encrypted directories can be seen as portable vaults of data.

Let’s get gocryptfs installed on Linux 20.04.

SEE: Identity theft protection policy (TechRepublic Premium)

What you’ll need

The only things you’ll need to make this work are a running instance of Linux and a user with sudo privileges. 

How to install gocryptfs

Since gocryptfs is found in the standard repositories, you can install the tool with a single command. On an Ubuntu-based system that command is:

sudo apt-get install gocryptfs -y

If you’re using a Red Hat-based distribution, the command is:

sudo dnf install gocryptfs -y

How to create an encrypted directory

With gocryptfs installed, you can now create your first encrypted directory. Let’s create a new directory with the command:

mkdir data_vault

Initialize that new directory with the command:

gocryptfs --init data_vault

You will be prompted to create a password for the new directory. A new gocryptfs filesystem will be created within the directory and you will then be presented with a master key for that filesystem. That master key is used to decrypt the encrypted filesystem, should it become corrupt or you forget your decryption password. Save that key somewhere safe.

Now we’ll create a mount point for our new filesystem. Let’s create a directory named vault with the command:

mkdir vault

Mount the encrypted filesystem to the mount directory with the command:

gocryptfs data_vault vault

You will be prompted for the encryption password you created when you initialized the data_vault directory. Once you successfully authenticate, you’ll see that the file system is mounted and ready (Figure A).

Figure A

Our gocryptfs mounted filesystem is ready to use.

” data-credit rel=”noopener noreferrer nofollow”>gocryptfsa.jpggocryptfsa.jpg

Our gocryptfs mounted filesystem is ready to use.

You can now add data to that directory. As you add data into the mounted directory, it will automatically sync it to the filesystem. Although files in the mounted directory are viewable, they are encrypted within the filesystem. Once you have all of the files added, unmount the directory with the command:

fusermount -u vault

At this point, nothing can be found in the vault directory and everything in data_vault is encrypted. To work with data_vault again, simply mount it to the vault directory, work with your files, and then umount it again.

Simple and safe.

With gocryptfs you can easily seal your files and folders behind a solid layer of encryption. Give this security tool a try and see if it doesn’t become your go-to on your Linux servers and desktops.

Also see