Gocryptfs: Is decoding for the xray tool still planned?

I think the conclusion was just that you cannot do it with the "openssl" command line tool.

Do you have a use case for decryption without FUSE?

Do you have a use case for decryption without FUSE?

Perhaps a bad one :). Confidence and longevity.

I want a simple backup solution for some data. I don't really want to get involved in a large complicated backup system doing various forms of data manipulation to save time. I have some relatively cold data, for example old photos, that I occasionally add to. I want to be able to encrypt them and rsync them out to a cloud provider.

If, in N years, when I need a photo FUSE is no longer a thing, I'd like to be able to still get to my data.

A lot of good work has gone into the description of how the data is encoded, however I am not a cryptographer and don't even read in the area for a hobby. A working example, in a language like go that is both understandable and likely to have a fairly long shelf life, is worth a ton, even if I have to reimplement it in N years in something else.

It sounds like with this theoretical tool, I could pull my data back from the cloud, retype the 400 bytes of conf file from my paper backup (longetivity), provide my passphrase and be back in business. Is this right?

I don't think you have to worry about all three of

• gocryptfs on Linux (via FUSE)
• gocryptfs on MacOS (via OSXFUSE)
• cppcryptfs on Windows (via Dokany)

disappearing into the void.

Heck I don't even think you have to worry about gocryptfs on Linux. Download a static amd64 build ( https://github.com/rfjakob/gocryptfs/releases ) and save it with the data. It'll just run ten or twenty years from now.

If the gocryptfs-xray tool gets a decryption function, it'll be fairly limited. For example, it will NOT parse the config file. You'll have to pass the master key and all non-default options on the command line. And it will only decrypt single files (one could automate that with a bash script, though).

Thanks for the update. I am going to close the ticket, but I still think even a rudimentary xraytool as described above has value.

I am not really concerned about the future of FUSE, but I think it is still very useful to have a small set of command line utilities for disaster recovery. The cppcryptfs project might not be suitable for Linux/macOS users, and both other options rely on a working gocryptfs build. Of course it is unlikely that gocryptfs breaks in a critical way, but having multiple options reduces the risk of having to wait for compatibility patches.

I decided to give it a try and wrote a small tool for file decryption in Python. So far it is still very basic - you just give it the master key and encrypted file (GCM or SIV), and it will print the decrypted file content to stdout. All remaining features (for example, decryption of filenames or config files) are still missing. I'm not sure if I have enough time to implement the rest, but I decided to share the prototype anyway. The current source is at https://github.com/fds-team/gocryptfs-inspect/.

Nice, and impressive how few lines you needed in python. I you want, you could push it to gocryptfs/contrib .

Thanks for the offer! Good to know that you are fine with having such scripts in your repository. Before merging them, I would suggest to wait a bit more until the remaining features have been implemented and everything has been tested a bit better.

Of course, as you prefer!

@slackner tried for some time to find https://github.com/slackner/gocryptfs-inspect again - I remembered that it existed, but it was hard to find! Have you blocked Google from indexing the Github project or something?

Searching for "gocryptfs Inspection Tools" (literally the heading on Github) gives me

No results found for "gocryptfs Inspection Tools"

Same for combinations of slackner / gocryptfs / python. I'm confused what is going on here.

@rfjakob No, at least not intentional. Thanks for adding it to your README. Maybe your link helps the Google crawler to find it :+1: