This repository provides pure Python commandline tools that can be used in
conjunction with gocryptfs, an encrypted overlay filesystem written in Go.
All programs are standalone applications, and only require few Python
dependencies to run.
For cryptographic functions, the pycryptodome dependency is required. Use
one of the following commands to install it:
sudo apt install python3-pycryptodome
# - or alternatively -
sudo pip3 install pycryptodomegocryptfs.py is a reimplementation of the gocryptfs crypto in Python. It is
not meant to replace the original software, and only serves as a reference
implementation for the crypto involved.
At the time of writing it can decrypt config files and cipher text files, both
in AES-GCM and AES-SIV mode. Just run./gocryptfs.py --help to see a list
of available options:
usage: gocryptfs.py [-h] [--aessiv] [--masterkey MASTERKEY]
[--password PASSWORD] [--config CONFIG]
filename
Decrypt individual file from a gocryptfs volume
positional arguments:
filename Location of the file to decrypt
optional arguments:
-h, --help show this help message and exit
--aessiv AES-SIV encryption
--masterkey MASTERKEY
Masterkey as hex string representation
--password PASSWORD Password to unlock config file
--config CONFIG Path to gocryptfs.conf configuration fileThe most common use-case (decrypting a single file) works like this:
./gocryptfs.py mGj2_hdnHe34Sp0iIQUwuwgocryptfs.py will automatically search for the gocryptfs.conf file, and
ask the user for a password to unlock the config. To skip the automatic
search, it is also possible to specify the path to the gocryptfs.conf file
using the --config=... commandline option.
If the config file is corrupted or the password was lost, the --masterkey
option is the last resort to rescue your data. Usage with gocryptfs.py
works as follows:
./gocryptfs.py --masterkey=fd890dab-... [--aessiv] mGj2_hdnHe34Sp0iIQUwuwThe --aessiv switch is necessary when AES-SIV encryption mode is used.
This is especially the case for reverse mode.
Note: At the time of writing, gocryptfs.py does not support
decrypting filenames yet.
gocryptfs-deobfuscate.py automatically replaces cipher text filenames like
mGj2_hdnHe34Sp0iIQUwuw in standard input (stdin) with their corresponding
plain text filenames. This is especially useful for reading the output of
programs operating on the cipher directory.
The usage is as follows:
usage: gocryptfs-deobfuscate.py [-h] ctlsock
Deobfuscate program output by decrypting filenames
positional arguments:
ctlsock Path to the control socket
optional arguments:
-h, --help show this help message and exitJust pass the content as input (stdin), and provide the control unix socket
(see gocryptfs -ctlsock ...) of gocryptfs as parameter, e.g.,
cat error.log | ./gocryptfs-deobfuscate.py /root/gocryptfs/ctlsockYou should now see the deobfuscated output on stdout, with all encrypted
filenames translated back to plaintext. Virtual files (i.e., files that only
exist in the encrypted version) are displayed in <...> brackets, e.g.,
<gocryptfs.conf>
directory/<gocryptfs.diriv>
directory/long[...]name.txt/<name>Note: In some situations, decrypting a filename might fail, if the
underlying directory content has changed in the meantime. This applies to
gocryptfs.longname. files, or to deleted directories in forward mode, for
example. Also, it might be possible that very long words (22+ characters) are
misinterpreted as encrypted filenames. Most of the time it seems to work pretty
well though.