File-based FUSE encrypted overlay filesystem — Go, open source, MIT.
© Jakob Unterwurzacher
Each file is encrypted independently — there is no container image to sync in full. Only the files you actually changed are re-uploaded. Cloud and backup tools work exactly as before, without knowing anything changed.
AES-256-GCM is the default, with XChaCha20-Poly1305 available as an alternative cipher. Keys are derived from your password with scrypt, making brute-force attacks computationally prohibitive.
A thorough security audit by defuse.ca was completed in March 2017 — no critical vulnerabilities were found. gocryptfs reached production-stable v1.0 in July 2016 after extensive real-world use.
Because encryption operates per-file, gocryptfs integrates naturally with Dropbox, iCloud, rsync, and any other storage backend. No special sync client needed — existing tools just work.
Benchmarks show 975 MB/s read and 375 MB/s write with hardware AES-NI acceleration. An optional OpenSSL backend squeezes out even more throughput. Encryption adds negligible overhead in practice.
gocryptfs applies EME wide-block encryption to filenames, combined with per-directory IVs. Your cloud provider cannot infer anything from directory listings — not even file counts or name patterns.
Empty files remain 0 bytes. Non-empty files carry only an 18-byte header plus 32 bytes per 4 KB data block. There is no vault overhead, no metadata database, and no proprietary container format.
4,400+ GitHub stars and active maintenance through v2.6.1 (August 2025). Packaged in Debian, Ubuntu, Arch Linux, and Fedora — no PPA or manual build required on mainstream distributions.
The reference implementation. Available in all major Linux distributions via the standard package manager. FUSE-based, command-line interface.
GitHub →Android app for browsing and managing gocryptfs (and CryFS) vaults. Open-source, no root required. Browse, view, and add files directly from your phone.
GitHub →Full-featured Windows port of gocryptfs written in C++. Uses Dokany for FUSE emulation. GUI + command-line. Interoperable with Linux and macOS volumes.
GitHub →gocryptfs on macOS, done right. Encrypted folders mount in Finder — no terminal, no configuration. Code-signed, Apple Silicon native, zero telemetry, free.
Learn more →