CryFS 2.0-alpha is experimental software. You WILL lose your data. Do not use it for anything important.
For stable CryFS, please use CryFS 1.0. You can find installation instructions for the stable version here.
CryFS 2.0 is in an alpha stage that has not undergone extensive testing. Use it only for testing purposes and please report any issues in the GitHub issue tracker.
CryFS encrypts your files so you can safely store them in cloud storage services like Dropbox, iCloud, or OneDrive. Unlike other encryption tools that encrypt files individually, CryFS encrypts your files in a way that also hides file sizes, directory structure, and metadata, providing a higher level of security.
Learn more at https://www.cryfs.org
CryFS 2.0 is a complete rewrite from scratch in Rust, bringing improved memory safety. This version is currently in alpha and represents a major evolution of the project.
To ensure compatiblity with CryFS 1.0, CryFS 2.0 does not add any features that would make the filesystem incompatible with Cryfs 1.0. New breaking changes are planned for future versions after CryFS 2.0 is stable. However, there are a few minor differences between CryFS 1.0 and 2.0.
New Features:
- Configurable scrypt parameters when creating new file systems
- Updated default scrypt parameters for better security
- Human-readable duration format for
--unmount-idle(e.g.,5m,1h30m) - More explicit units for
--blocksize(e.g.,16KiB) - More flexible logging with
--logargument (e.g.,--log file:/path/to/file.log)
Breaking Changes:
- Command line options have changed (see Command Line Changes below)
- Limited cipher support: only XChaCha20 and AES are available
- Reduced platform support: only Linux is currently supported
| Platform | Status |
|---|---|
| Linux | âś… Working |
| macOS | âť“ Untested (may or may not work) |
| Windows | ❌ Not yet supported |
File systems are fully forward and backward compatible between CryFS 1.0 and 2.0, with important caveats:
âś… Compatible:
- File systems created with XChaCha20 cipher (the default in 1.0 and 2.0)
- File systems created with AES-256-GCM cipher
- Integrity checks using block versioning are fully compatible
- Local state files: The filesystem ID verification (protection against filesystem replacement attacks) uses separate local state files in 1.0 vs 2.0. Both versions perform this check, but they don't sync with each other.
❌ Incompatible:
- File systems created with other ciphers (e.g., Twofish, Serpent) are not accessible in CryFS 2.0
- There are no plans to add all ciphers from CryFS 1.0 to the Rust version because many are outdated and don't have an implementaton that can be called from Rust easily.
The following command line arguments have changed:
| 1.0 Syntax | 2.0 Syntax | Notes |
|---|---|---|
--unmount-idle 10 |
--unmount-idle 10m |
Now requires unit: 5m, 1h30m, etc. |
--blocksize 16384 |
--blocksize 16KiB |
Now requires unit: 16KiB, 1MiB, etc. |
--logfile /path/to/file.log |
--log file:/path/to/file.log |
More generic logging format |
cryfs basedir mountdir -- -o allow_other |
cryfs basedir mountdir -o allow_other |
Double-dash syntax removed |
The list of supported FUSE options that can be passed in with -o is now limited to options that are known to work well with CryFS. See cryfs --help for the complete list.
Prerequisites:
- Rust toolchain (install from rustup.rs)
- Build dependencies
- Ubuntu/Debian:
sudo apt install build-essential pkg-config libssl-dev - Fedora:
sudo dnf install fuse3-devel - Arch:
sudo pacman -S fuse3
- Ubuntu/Debian:
Build and Install:
git clone https://github.com/cryfs/cryfs
cd cryfs
cargo build --release
sudo cp target/release/cryfs /usr/local/bin/Not yet tested. May work if you have macFUSE installed, but no guarantees.
Windows support is not yet available in CryFS 2.0.
cryfs /path/to/encrypted/storage /path/to/mountpointYou'll be prompted to create a password. CryFS will create its encrypted storage in the first directory and mount the decrypted filesystem at the mountpoint.
Use the same command:
cryfs /path/to/encrypted/storage /path/to/mountpointYou'll be prompted for your password.
fusermount -u /path/to/mountpointOr on macOS:
umount /path/to/mountpoint# Auto-unmount after 30 minutes of inactivity
cryfs /path/to/encrypted /path/to/mount --unmount-idle 30m
# Allow other users to access the filesystem
cryfs /path/to/encrypted /path/to/mount -o allow_other
# Log to a file
cryfs /path/to/encrypted /path/to/mount --log file:/tmp/cryfs.log
# Show all available options
cryfs --helpCryFS can be used through GUI applications:
- SiriKali
- Plasma Vault (included in KDE Plasma 5.11+)
Note: GUI compatibility with CryFS 2.0 has not been tested yet.
CryFS 2.0-alpha is currently slower than 1.0 due to lack of optimizations. Performance improvements are planned for future releases.
As alpha software, expect bugs and potential data loss. Known risks include:
- Filesystem corruption if the process is interrupted during writes
- Data loss if the disk runs out of space during write operations
- Corruption if the filesystem is accessed from multiple devices simultaneously without proper synchronization
There is currently no filesystem recovery tool for corrupted CryFS filesystems. Back up your data regularly.
If your password is compromised, creating a new filesystem and migrating your data is strongly recommended, as CryFS does not support secure password rotation.
CryFS 2.0 supports:
- XChaCha20-Poly1305 (default, recommended)
- AES-256-GCM
XChaCha20 is the recommended cipher for new filesystems due to its strong security properties and performance characteristics.
CryFS 2.0 allows you to configure scrypt parameters when creating a new filesystem, allowing you to adjust the time/memory tradeoffs for password derivation based on your security needs.
Larger parameters are more secure but mean the filesystem will be slower to mount, and devices with low memory might not be able to open it at all. There is no performance impact on filesystem operations after it was mounted, only the initial mounting is affected.
If you want to use a filesystem from devices with very low memory, lowering the scrypt parameters can help.
Contributions are welcome! Please:
- Check the issue tracker for known bugs and feature requests
- Test CryFS 2.0 and report any bugs you find
- Submit pull requests with improvements
Since this is alpha software, testing and bug reports are especially valuable.
CryFS is licensed under the LGPL v3. See the LICENSE file for details.
- Website: https://www.cryfs.org
- GitHub: https://github.com/cryfs/cryfs
- Issue Tracker: https://github.com/cryfs/cryfs/issues
- CryFS 1.0 (stable): https://github.com/cryfs/cryfs/tree/release/1.0