Setting up GocryptFS with cloud storage
1. Installing the required packages
Install openssl:
paru -S opensslInstall the Yandex.Disk client (if you use it):
paru -S aur/yandex-disk --noconfirm(Optional) Install Russian man pages:
paru -S man-pages-ru2. Configuring Yandex.Disk
2.1. Initializing Yandex.Disk
Run the Yandex.Disk setup:
yandex-disk setupFollow the on-screen instructions to authorize and choose a sync directory (e.g. ~/Yandex.Disk).
2.2. Starting synchronization
Start syncing with the cloud:
yandex-disk startNow your ~/Yandex.Disk directory will sync with Yandex.Disk.
3. Creating the encrypted filesystem
Create two folders:
- Data — for storing encrypted data (will sync with the cloud).
- GoCryptFS — for accessing decrypted data.
mkdir -p ~/Yandex.Disk/Data ~/GoCryptFSInitialize gocryptfs:
gocryptfs -init ~/Yandex.Disk/Data -plaintextnamesYou’ll be prompted for a password — remember it, it cannot be recovered.
After initialization a config file will appear:
~/Yandex.Disk/Data/gocryptfs.conf5. Using a symlink for .ssh (example using Yandex.Disk)
Move the .ssh folder into the encrypted GoCryptFS folder:
mv ~/.ssh ~/GoCryptFS/Create a symlink:
ln -s ~/GoCryptFS/.ssh ~/.sshSet the permissions:
chmod 600 ~/.ssh/*
chmod 644 ~/.ssh/*.pub
chmod 700 ~/.ssh6. Unmounting GoCryptFS
After you’re done working with the encrypted data, unmount GoCryptFS:
fusermount -u ~/GoCryptFS7. Automation (optional)
Create a script to automatically mount GoCryptFS:
Script mount_gocryptfs.sh:
#!/bin/bash
set -euo pipefail
ENCRYPTED_DIR="$HOME/Yandex.Disk/Data"
MOUNT_POINT="$HOME/GoCryptFS"
# Mounting
if ! mountpoint -q "$MOUNT_POINT"; then
echo "Enter the gocryptfs password:"
gocryptfs "$ENCRYPTED_DIR" "$MOUNT_POINT"
echo "[+] gocryptfs mounted at $MOUNT_POINT"
else
echo "[i] Already mounted: $MOUNT_POINT"
fi
# Symlinks
declare -A LINKS=(
[".ssh"]="$MOUNT_POINT/.ssh"
["KeeP"]="$MOUNT_POINT/KeeP"
["Work"]="$MOUNT_POINT/Work"
#["PyCharmMiscProject"]="$MOUNT_POINT/PyCharmMiscProject"
#["GoLand"]="$MOUNT_POINT/GoLand"
)
for NAME in "${!LINKS[@]}"; do
TARGET="${LINKS[$NAME]}"
LINK="$HOME/$NAME"
if [ ! -e "$TARGET" ]; then
echo "[!] Target does not exist: $TARGET — skipping"
continue
fi
if [ ! -L "$LINK" ]; then
# Back up if a real folder/file exists
[ -e "$LINK" ] && mv "$LINK" "${LINK}.bak.$(date +%s)"
ln -s "$TARGET" "$LINK"
echo "[+] Created link: $LINK -> $TARGET"
fi
done
# Permissions
[ -L "$HOME/.ssh" ] && chmod 700 "$MOUNT_POINT/.ssh"
[ -L "$HOME/.ssh" ] && chmod 600 "$MOUNT_POINT/.ssh/"* 2>/dev/null || true
[ -L "$HOME/.ssh" ] && chmod 644 "$MOUNT_POINT/.ssh/"*.pub 2>/dev/null || true
[ -L "$HOME/KeeP" ] && chmod 700 "$MOUNT_POINT/KeeP"
echo "[+] Done"Make the script executable:
chmod +x mount_gocryptfs.shCreate a script to automatically unmount GoCryptFS:
Script unmount_gocryptfs.sh:
#!/bin/bash
# Unmounting GoCryptFS
set -euo pipefail
MOUNT_POINT="$HOME/GoCryptFS"
if mountpoint -q "$MOUNT_POINT"; then
fusermount -u "$MOUNT_POINT"
if mountpoint -q "$MOUNT_POINT"; then
# Force unmount if it's stuck
fusermount -uz "$MOUNT_POINT"
sleep 1
fi
if ! mountpoint -q "$MOUNT_POINT"; then
echo "[+] GoCryptFS unmounted"
else
echo "[!] Error: failed to unmount $MOUNT_POINT"
echo " Try: sudo fusermount -uz $MOUNT_POINT"
exit 1
fi
else
echo "[i] Not mounted: $MOUNT_POINT"
fiMake the script executable:
chmod +x unmount_gocryptfs.sh8. Useful commands
View the EncFS documentation:
man gocryptfsQuick GoCryptFS reference:
gocryptfs --helpSummary
- Encrypted folder:
~/Yandex.Disk/Data. - Data access folder:
~/GoCryptFS. - Config file is encrypted with OpenSSL and stored in the cloud.
- The .ssh folder is stored in the encrypted folder and accessed via a symlink.