{"id":15717645,"url":"https://github.com/nul-one/fusecry","last_synced_at":"2025-05-13T00:44:42.107Z","repository":{"id":57432685,"uuid":"99857436","full_name":"nul-one/fusecry","owner":"nul-one","description":"FUSE based AES-CBC encrypted filesystem and encryption tool","archived":false,"fork":false,"pushed_at":"2017-11-12T12:29:50.000Z","size":119,"stargazers_count":11,"open_issues_count":1,"forks_count":2,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-18T00:44:11.284Z","etag":null,"topics":["aes-encryption","decryption","encfs","encrypted-directories","encryption","file-encryption","file-encryption-python","filesystem","fuse","fuse-filesystem","linux","mac-osx","macosx","mount","python","python3","stream-encryption"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nul-one.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-09T22:21:39.000Z","updated_at":"2024-06-02T18:36:56.000Z","dependencies_parsed_at":"2022-09-17T03:51:23.725Z","dependency_job_id":null,"html_url":"https://github.com/nul-one/fusecry","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nul-one%2Ffusecry","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nul-one%2Ffusecry/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nul-one%2Ffusecry/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nul-one%2Ffusecry/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nul-one","download_url":"https://codeload.github.com/nul-one/fusecry/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253850875,"owners_count":21973671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes-encryption","decryption","encfs","encrypted-directories","encryption","file-encryption","file-encryption-python","filesystem","fuse","fuse-filesystem","linux","mac-osx","macosx","mount","python","python3","stream-encryption"],"created_at":"2024-10-03T21:50:53.206Z","updated_at":"2025-05-13T00:44:42.084Z","avatar_url":"https://github.com/nul-one.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\nfusecry \n==================================================\n[![Build Status](https://travis-ci.org/nul-one/fusecry.png)](https://travis-ci.org/nul-one/fusecry)\n[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/fusecry/Lobby)\n\nFUSE based AES encrypted filesystem and encryption tool\n\nrequirements\n-------------------------\n\n- Linux (kernel 2.6.14 or above) or OS X (10.11 or above)\n- python \u003e= 3.4\n    - ubuntu/debian: `sudo apt-get install python3 python3-dev`\n    - rhel/centos: `sudo yum install python3 python3-dev`\n- libfuse\n    - ubuntu/debian: `sudo apt-get install libfuse2 libfuse-dev`\n    - rhel/centos: `sudo yum install fuse fuse-devel`\n\ninstall\n-------------------------\n\n### install from pypi\n`pip3 install fusecry`  \n\n### install from github\n`pip3 install -U git+https://github.com/nul-one/fusecry.git`  \n\n### autocompletion\nIn addition, add the following to your `.bashrc` to enable autocompletion:  \n`eval \"$(register-python-argcomplete fusecry)\"`\n\nfeatures\n-------------------------\n\n- mount any subdirectory of encrypted structure\n- use password or RSA key\n- encrypt single files\n- encrypt streams\n- real time integrity check\n- filesystem check\n- detect local FS block size for best overall performance or set manually\n- encrypt file and directory names\n- encrypted files keep same directory structure\n- option to have file and path names encrypted\n\nusage\n-------------------------\n\n### mount/umount\n\n`fusecry mount SOURCE_DIR MOUNT_POINT [--key RSA_KEY_PATH] [-n]`  \n`fusecry umount MOUNT_POINT` or `fusermount -u MOUNT_POINT`  \nData copied to mount point will remain encrypted in source directory.  \nUse `-n` or `--encrypt-filenames` to also have file and directory names\nencrypted. This option is really needed only on the first mount when\nfusecry.conf file is being generated.  \n**Watch out**: if `-n` is used, actual file and directory names on disk will be\n60%+ longer than originals and thus some long names won't be valid! Check what\nmaximum filename and path length values are on your system.\n\n### mount subdirectory\n\n`fusecry mount SOURCE_DIR/subdir MOUNT_POINT --conf SOURCE_DIR/fusecry.conf [--key RSA_KEY_PATH]`\n\n### single file encryption\n\n`fusecry encrypt INPUT_FILE OUTPUT_FILE [-c FCRY_CONF_FILE] [--key PUB_OR_PVT_RSA_KEY_PATH]`  \n`fusecry decrypt INPUT_FILE OUTPUT_FILE [-c FCRY_CONF_FILE] [--key PVT_RSA_KEY_PATH]`  \n`FCRY_CONF_FILE` is stored in ROOT directory of existing FuseCry filesystem.  \nIf you call the command without existing settings file, it will be created in\ncase of encryption or default will be used `INPUT_FILE.fcry` in case of\ndecryption.\n\n### stream encryption\n\n`\u003cDATA fusecry stream encrypt -c FCRY_CONF_FILE [--key PUB_OR_PVT_RSA_KEY_PATH]`  \n`\u003cDATA fusecry stream decrypt -c FCRY_CONF_FILE [--key PVT_RSA_KEY_PATH]`  \n\n### fsck\n\n`fusecry fsck ROOT [--key RSA_KEY_PATH]`  \nROOT is the source dir that is to be mounted. Make sure it is not mounted\nduring fsck or you might get false-positive errors detected.\n\n### info\n\nUse this to show info about encryption:  \n`fusecry info CONF` where `CONF` is the FuseCry config file or\n`fusecry info SOURCE_DIR` if `SOURCE_DIR` contains default-named config file\n`fusecry.conf`.\n\nFuseCry conf file\n-------------------------\n\nThis is a json file where FuseCry stores information about encryption for\nparticular ROOT or single encrypted file. It will default to `fusecry.conf`\nwhen mounting or `FILE_NAME.fusecry` when encrypting single file.  \n**Important**: Decryption won't work without this file, so it must not be lost.\nIt is safe to share this file, it won't help attackers in any way.  \nWhen mounting ROOT to MOUNTPOINT, this file will not be accessible (visible) on\nthe mountpoint side.\n\nhow does it work?\n-------------------------\n\n### encryption\n\n1. Raw files are split into chunks of N bytes (best speeds are achieved when N\nis equal to your local filesystem block size and defaults to 4096).\n2. Each chunk is encrypted with 256bit AES key and random IV.\n3. IV and encrypted chunk are hashed with HMAC SHA256 using SHA256 hash of AES\nkey as HMAC key.\n4. HMAC hash, IV and encypted chunk data are stored in encrypted file.\n5. Repeat 2-4 for each chunk.\n6. Store file size as additional 8 bytes at the end of a file. This way there\nis no need of additional padding bytes for each chunk.\n\n### decryption\n\n1. Read HMAC hash and ciphertext of each block. Compare newly created HMAC hash\nwith recorded one and raise error if they don't match.\n2. Read IV and encrypted chunk data from ciphertext.\n3. Decrypt data using IV and AES key and store in decrypted file (or return as\nfile read output).\n4. Repeat 1-3 for each block.\n6. Read last 8 bytes of encrypted file to determine file size. Truncate raw\nfile to fit into this size (or truncate last read block before returning as\nfile read output).\n\n### file and directory name encryption\n\nRaw names are converted to bytes and zero padded and then encrypted as a\nsingle chunk with random IV for each file/dir. Output is then encrypted and\nencoded with base32 with `=` padding stripped from the end.  \nThere is no integrity check when decrypting file names.\n\nbackward compatibility\n-------------------------\n\nThere will be no backwards compatibility guarantee before version 1.0.0  \nMinor versions before version 1.0.0 are incompatible between each other (e.g.\nversion 0.**8**.0 and 0.**7**.0 are incompatible), while patch versions of the\nsame minor versions are compatible (e.g. 0.7.**1** and 0.7.**2**)  \nAfter 1.0.0 release, all future releases of the same major versions will have\nguaranteed backward and forward compatibility.\n\nknown limitations and deficiencies\n-------------------------\n\n- no options for AES keysize (has to be 256bit)\n- chunk size has to be a multiple of 16\n- no integrity check of file and directory names and structure\n- in case of encrypted file/dir names, whole directory structure is loaded in\nRAM\n\nfuture plans and missing features (in no particular order)\n-------------------------\n\n- dinamyc directory structure loading for encrypted file/dir names to preserve\nRAM\n- \u003cstrike\u003eRAM file system option for fast file access\u003c/strike\u003e Not going to be\nimplemented. You can create ramfs and put encrypted data in it on your own.\nAlso, bottleneck seems to be CPU and not disk I/O (at least on SSD).\n- \u003cstrike\u003epassword change (bulk re-encryption)\u003c/strike\u003e Not going to be\nimplemented. You can mount additional empty FuseCry fs with new password and\nmove files over. Let's keep it simple.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnul-one%2Ffusecry","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnul-one%2Ffusecry","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnul-one%2Ffusecry/lists"}