diff options
author | Andy Weidenbaum | 2016-12-13 08:41:11 -0800 |
---|---|---|
committer | Andy Weidenbaum | 2016-12-13 08:41:11 -0800 |
commit | 726ccfaa2da19bc8f429f6a348a5e4de8a89edc4 (patch) | |
tree | 900676798420589b259e9a6b0cf93841a2f2a77f /gocryptfs.1 | |
download | aur-726ccfaa2da19bc8f429f6a348a5e4de8a89edc4.tar.gz |
Initial import
Diffstat (limited to 'gocryptfs.1')
-rw-r--r-- | gocryptfs.1 | 242 |
1 files changed, 242 insertions, 0 deletions
diff --git a/gocryptfs.1 b/gocryptfs.1 new file mode 100644 index 000000000000..30ebd15ab857 --- /dev/null +++ b/gocryptfs.1 @@ -0,0 +1,242 @@ +.\" Automatically generated by Pandoc 1.17.2 +.\" +.TH "GOCRYPTFS" "1" "May 2016" "" "" +.hy +.SH NAME +.PP +gocryptfs \- mount an encrypted directory +.SH SYNOPSIS +.SS Initialize encrypted filesystem +.PP +gocryptfs \-init [OPTIONS] CIPHERDIR +.SS Mount +.PP +gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT [\-o COMMA\-SEPARATED\-OPTIONS] +.SS Change password +.PP +gocryptfs \-passwd [OPTIONS] CIPHERDIR +.SH DESCRIPTION +.PP +Options: +.TP +.B \f[B]\-aessiv\f[] +Use the AES\-SIV encryption mode. +This is slower than GCM but is secure with deterministic nonces as used +in "\-reverse" mode. +.RS +.RE +.TP +.B \f[B]\-allow_other\f[] +By default, the Linux kernel prevents any other user (even root) to +access a mounted FUSE filesystem. +Settings this option allows access for other users, subject to file +permission checking. +Only works if user_allow_other is set in /etc/fuse.conf. +This option is equivalent to "allow_other" plus "default_permissions" +described in fuse(8). +.RS +.RE +.TP +.B \f[B]\-config string\f[] +Use specified config file instead of CIPHERDIR/gocryptfs.conf +.RS +.RE +.TP +.B \f[B]\-cpuprofile string\f[] +Write cpu profile to specified file +.RS +.RE +.TP +.B \f[B]\-d, \-debug\f[] +Enable debug output +.RS +.RE +.TP +.B \f[B]\-extpass string\f[] +Use an external program (like ssh\-askpass) for the password prompt. +The program should return the password on stdout, a trailing newline is +stripped by gocryptfs. +Using something like "cat /mypassword.txt" allows to mount the gocryptfs +filesytem without user interaction. +.RS +.RE +.TP +.B \f[B]\-f\f[] +Stay in the foreground instead of forking away. +Implies "\-nosyslog". +.RS +.RE +.TP +.B \f[B]\-fusedebug\f[] +Enable fuse library debug output +.RS +.RE +.TP +.B \f[B]\-init\f[] +Initialize encrypted directory +.RS +.RE +.TP +.B \f[B]\-ko\f[] +Pass additonal mount options to the kernel (comma\-separated list). +FUSE filesystems are mounted with "nodev,nosuid" by default. +If gocryptfs runs as root, you can enable device files by passing the +opposite mount option, "dev", and if you want to enable suid\-binaries, +pass "suid". +"ro" (equivalent to passing the "\-ro" option) and "noexec" may also be +interesting. +For a complete list see the section +\f[C]FILESYSTEM\-INDEPENDENT\ MOUNT\ OPTIONS\f[] in mount(8). +.RS +.RE +.TP +.B \f[B]\-longnames\f[] +Store names longer than 176 bytes in extra files (default true) This +flag is useful when recovering old gocryptfs filesystems using +"\-masterkey". +It is ignored (stays at the default) otherwise. +.RS +.RE +.TP +.B \f[B]\-masterkey string\f[] +Use a explicit master key specified on the command line. +This option can be used to mount a gocryptfs filesystem without a config +file. +Note that the command line, and with it the master key, is visible to +anybody on the machine who can execute "ps \-auxwww". +This is meant as a recovery option for emergencies, such as if you have +forgotten your password. +.RS +.PP +Example master key: +6f717d8b\-6b5f8e8a\-fd0aa206\-778ec093\-62c5669b\-abd229cd\-241e00cd\-b4d6713d +.RE +.TP +.B \f[B]\-memprofile string\f[] +Write memory profile to specified file. +This is useful when debugging memory usage of gocryptfs. +.RS +.RE +.TP +.B \f[B]\-nonempty\f[] +Allow mounting over non\-empty directories. +FUSE by default disallows this to prevent accidential shadowing of +files. +.RS +.RE +.TP +.B \f[B]\-nosyslog\f[] +Diagnostic messages are normally redirected to syslog once gocryptfs +daemonizes. +This option disables the redirection and messages will continue be +printed to stdout and stderr. +.RS +.RE +.TP +.B \f[B]\-notifypid int\f[] +Send USR1 to the specified process after successful mount. +This is used internally for daemonization. +.RS +.RE +.TP +.B \f[B]\-openssl bool/"auto"\f[] +Use OpenSSL instead of built\-in Go crypto (default "auto"). +Using built\-in crypto is 4x slower unless your CPU has AES instructions +and you are using Go 1.6+. +In mode "auto", gocrypts chooses the faster option. +.RS +.RE +.TP +.B \f[B]\-passfile string\f[] +Read password from the specified file. +This is a shortcut for specifying "\-extpass /bin/cat FILE". +.RS +.RE +.TP +.B \f[B]\-passwd\f[] +Change the password. +Will ask for the old password, check if it is correct, and ask for a new +one. +.RS +.PP +This can be used together with \f[C]\-masterkey\f[] if you forgot the +password but know the master key. +Note that without the old password, gocryptfs cannot tell if the master +key is correct and will overwrite the old one without mercy. +It will, however, create a backup copy of the old config file as +\f[C]gocryptfs.conf.bak\f[]. +Delete it after you have verified that you can access your files with +the new password. +.RE +.TP +.B \f[B]\-plaintextnames\f[] +Do not encrypt file names and symlink targets +.RS +.RE +.TP +.B \f[B]\-q, \-quiet\f[] +Quiet \- silence informational messages +.RS +.RE +.TP +.B \f[B]\-reverse\f[] +Reverse mode shows a read\-only encrypted view of a plaintext directory. +Implies "\-aessiv". +.RS +.RE +.TP +.B \f[B]\-ro\f[] +Mount the filesystem read\-only +.RS +.RE +.TP +.B \f[B]\-scryptn int\f[] +scrypt cost parameter logN. +Setting this to a lower value speeds up mounting but makes the password +susceptible to brute\-force attacks (default 16) +.RS +.RE +.TP +.B \f[B]\-version\f[] +Print version and exit. +The output contains three fields seperated by ";". +Example: "gocryptfs v0.12\-2; go\-fuse a4c968c; go1.6.2". +Field 1 is the gocryptfs version, field 2 is the version of the go\-fuse +library, field 3 is the Go version that was used to compile the binary. +.RS +.RE +.TP +.B \f[B]\-wpanic\f[] +When encountering a warning, panic and exit immediately. +This is useful in regression testing. +.RS +.RE +.TP +.B \f[B]\-zerokey\f[] +Use all\-zero dummy master key. +This options is only intended for automated testing as it does not +provide any security. +.RS +.RE +.PP +Comma\-Separated\-Options: +.PP +For compatability with mount(1), options are also accepted as "\-o +COMMA\-SEPARATED\-OPTIONS" at the end of the command line. +For example, "\-o q,zerokey" is equivalent to "\-q \-zerokey". +.SH EXAMPLES +.PP +Create and mount an encrypted filesystem: +.PP +mkdir /tmp/g1 /tmp/g2 +.PP +gocryptfs \-init /tmp/g1 +.PD 0 +.P +.PD +gocryptfs /tmp/g1 /tmp/g2 +.SH SEE ALSO +.PP +fuse(8) +.SH AUTHORS +github.com/rfjakob. |