lunar (1) cryfs.1.gz

Provided by: cryfs_0.10.2-5_amd64 bug

NAME

       cryfs - cryptographic filesystem for the cloud

SYNOPSIS

       cryfs [-c file] [-f] [options] basedir mountpoint [-- fuse-options]
       cryfs --help|--version|--show-ciphers

DESCRIPTION

       CryFS encrypts your files, so you can safely store them anywhere.

       The  goal  of  CryFS  is not only to keep file contents, but also file sizes, metadata and
       directory structure confidential.  CryFS uses encrypted same-size blocks to store both the
       files  themselves  and  the  block's  relations  to  another.   These blocks are stored as
       individual files in the base directory, which can then be synchronized with cloud services
       such as Dropbox.

       The  blocks  are  encrypted  using  a  random key, which is stored in a configuration file
       encrypted by the user's passphrase.  By default, it will be stored together with the  data
       in  the  base  directory, but you can choose a different location if you do not want it in
       your cloud or when using a weak passphrase.

USING CRYFS

   Selecting base and mount directories
       While you can access your files through your mount directory, CryFS actually  places  them
       in  your  base  directory after encrypting.  CryFS will encrypt and decrypt your files 'on
       the fly' as they are accessed, so files will never be stored on the  disk  in  unencrypted
       form.

       You  can  choose  any  empty  directory  as  your base, but your mount directory should be
       outside of any cloud storage, as your cloud may try to  sync  your  (temporarily  mounted)
       unencrypted files as well.

   Setup and usage of your encrypted directory
       Creating and mounting your encrypted storage use the same command-line syntax:
              cryfs basedir mountpoint

       If  CryFS  detects an encrypted storage in the given base directory, you will be asked for
       the passphrase to unlock and mount it. Otherwise, CryFS will help you with  creating  one,
       just follow the on-screen instructions.

       After  you  are  done  working  with  your  encrypted files, unmount your storage with the
       command
              fusermount -u mountpoint

   Changing your passphrase
       As the encryption key to your CryFS storage is stored in your configuration file, it would
       be  possible  to re-encrypt it using a different passphrase (although this feature has not
       been implemented yet).

       However, this does not change the actual encryption key of your storage, so  someone  with
       access  to the old passphrase and configuration file (for example through the file history
       of your cloud or your file system) could still access your files, even those created after
       the password change.

       For  this  reason,  the recommended way to change your passphrase is to create a new CryFS
       storage with the new passphrase and move your files from the old to the new one.

OPTIONS

   Getting help
       -h, --help
              Show a help message containing short descriptions for all options.

       --show-ciphers
              Show a list of all supported encryption ciphers.

       --version
              Show the CryFS version number.

   Encryption parameters
       --blocksize arg
              Set the block size to arg bytes. Defaults to 32768.

              A higher block size may help  reducing  the  file  count  in  your  base  directory
              (especially  when storing large files), but will also waste more space when storing
              smaller files.

       --cipher arg
              Use arg as the cipher for the encryption. Defaults to aes-256-gcm.

       -c file, --config file
              Use  file   as   configuration   file   for   this   CryFS   storage   instead   of
              basedir/cryfs.config

   General options
       -f, --foreground
              Run CryFS in the foreground. Stop using CTRL-C.

       --allow-filesystem-upgrade
              Allow  upgrading the file system if it was created with an old CryFS version. After
              the upgrade, older CryFS versions might not be able to use the file system anymore.

       --allow-integrity-violations
              By default, CryFS checks for integrity violations, i.e. will notice if an adversary
              modified  or  rolled  back  the  file  system. Using this flag, you can disable the
              integrity checks. This can for example be helpful for loading an  old  snapshot  of
              your file system without CryFS thinking an adversary rolled it back.

       --allow-replaced-filesystem
              By  default,  CryFS  remembers  file systems it has seen in this base directory and
              checks that it didn't get replaced by an attacker with an entirely  different  file
              system  since  the  last time it was loaded. However, if you do want to replace the
              file system with an entirely new one, you can pass in this option  to  disable  the
              check.

       --missing-block-is-integrity-violation=true
              When CryFS encounters a missing ciphertext block, it cannot cannot (yet) know if it
              was deleted by an unauthorized adversary or by a second authorized client. This  is
              one  of the restrictions of the integrity checks currently in place. You can enable
              this flag to treat missing ciphertext blocks as integrity violations, but then your
              file  system  will not be usable by multiple clients anymore. By default, this flag
              is disabled.

       --logfile file
              Write status information to file. If no logfile is given, CryFS will write them  to
              syslog in background mode, or to stdout in foreground mode.

       --unmount-idle arg
              Unmount automatically after arg minutes of inactivity.

ENVIRONMENT

       CRYFS_FRONTEND=noninteractive
              With  this  option  set,  CryFS  will  only ask for the encryption passphrase once.
              Instead of asking the user for parameters not specified on  the  command  line,  it
              will  just  use  the  default  values.  CryFS will also not ask you to confirm your
              passphrase when creating a new CryFS storage.

              Set this environment variable when automating CryFS using external tools  or  shell
              scripts.

       CRYFS_NO_UPDATE_CHECK=true
              By   default,   CryFS  connects  to  the  internet  to  check  for  known  security
              vulnerabilities and new versions. This option disables this.

       CRYFS_LOCAL_STATE_DIR=[path]
              Sets the directory cryfs uses to store local state. This local  state  is  used  to
              recognize known file systems and run integrity checks (i.e. check that they haven't
              been modified by an attacker.  Default value: ${HOME}/.cryfs

SEE ALSO

       mount.fuse(1), fusermount(1)

       For more information about the design of CryFS, visit https://www.cryfs.org

       Visit the development repository at https://github.com/cryfs/cryfs for the source code and
       the full list of contributors to CryFS.

AUTHORS

       CryFS  was  created  by  Sebastian Messmer and contributors.  This man page was written by
       Maximilian Wende.

                                                                                         cryfs(1)