Tutorial

CryFS is very easy to use. Let us show you how.

Overview

CryFS encrypts your files so you can safely store them anywhere. It works well with popular cloud services like Dropbox, Google Drive, OneDrive, or any other service that syncs a local folder.

Unlike some other encryption tools, CryFS doesn't just encrypt the contents of your files—it also encrypts file names, file sizes, and the directory structure. This means that even if someone gains access to your cloud storage, they cannot see what files you have, how big they are, or how they're organized.

What you'll learn in this tutorial:

How to install CryFS
How to create and use a vault
How to sync your vault with cloud storage
Best practices for keeping your data secure

Prerequisites

Before starting, make sure you have:

A Linux, macOS, or Windows computer
Basic familiarity with using the command line
(Optional) A cloud storage client installed if you want to sync encrypted files

CryFS runs on all major operating systems. On Linux and macOS, it uses FUSE (Filesystem in Userspace). On Windows, it uses Dokany or WinFsp.

Prefer a graphical interface? If you're not comfortable with the command line, there are GUI applications available:

SiriKali (Linux, macOS) — A GUI application that supports CryFS along with other encryption tools. Provides a user-friendly way to create, mount, and manage encrypted vaults.
Plasma Vault (KDE Plasma) — Built into the KDE Plasma desktop, Plasma Vault integrates CryFS directly into your system tray for easy access to encrypted vaults.

Install CryFS

See Download Instructions for installation packages and instructions for your operating system.

After installation, verify CryFS is working by checking its version:

$cryfs --version
CryFS Version 1.0.3

Create a vault

To create a vault, run cryfs vaultdir mountdir where:

vaultdir is where your encrypted data will be stored
mountdir is where you'll access your unencrypted files

You can name these directories anything you like. If they don't exist, CryFS will offer to create them.

$cryfs vaultdir mountdir

CryFS will ask you a few questions:

Encryption settings: Press Enter to accept the default settings, which use secure, recommended values (XChaCha20-Poly1305 encryption).
Password: Choose a strong, unique password. This password is the only way to access your data—if you forget it, your files cannot be recovered.

Tip: Use a password manager to generate and store a strong password. A good password should be at least 16 characters and include a mix of letters, numbers, and symbols.

Once configured, your vault is ready to use. The mountdir directory is a virtual directory provided by CryFS—files you place here are automatically encrypted and stored in vaultdir.

Using the vault

You can work with mountdir just like any normal folder. Add files, create subdirectories, edit documents—everything is automatically encrypted and stored in vaultdir.

Let's try it out. First, create a file and a directory:

$cd mountdir
$echo "My secret notes" > notes.txt
$mkdir documents

Verify the file was created:

$ls
documents notes.txt
$cat notes.txt
My secret notes

Now look at what's stored in vaultdir—you'll see encrypted blocks instead of your actual files:

$ls ../vaultdir
3A2 7F9 B4E cryfs.config [more encrypted blocks]

The file names, sizes, and directory structure are all hidden. An attacker looking at vaultdir would have no idea what's inside.

Unmounting and remounting

When you're done working with your files, unmount the vault:

$cd ..
$cryfs-unmount mountdir

After unmounting, mountdir will be empty—your data is safely locked away:

$ls mountdir
[empty]

Your encrypted data remains in vaultdir. To access your files again, simply remount:

$cryfs vaultdir mountdir
$ls mountdir
documents notes.txt
$cat mountdir/notes.txt
My secret notes

Using CryFS with cloud storage

CryFS was designed to work seamlessly with cloud storage services. By placing your vaultdir inside your cloud sync folder, your encrypted files are automatically uploaded and synced across devices.

This works with any cloud service that syncs a local folder, including:

Dropbox
Google Drive
Microsoft OneDrive
iCloud Drive
Nextcloud
Syncthing
And many others

Setting up cloud sync

First, identify your cloud service's local sync folder. Common locations include:

Dropbox: ~/Dropbox
Google Drive: ~/Google Drive or ~/My Drive
OneDrive: ~/OneDrive
iCloud Drive (macOS): ~/Library/Mobile Documents/com~apple~CloudDocs

Then create your vault with vaultdir inside the sync folder:

$cryfs ~/Dropbox/myvault mountdir

Important: Place only the vaultdir (encrypted data) in your cloud folder. Never place mountdir (unencrypted data) in a synced location, or your unencrypted files will be uploaded to the cloud.

Now everything you save to mountdir is encrypted and synced to your cloud storage automatically.

Accessing from multiple devices

To access your vault from another computer:

Install CryFS and your cloud client on the second device
Wait for your cloud service to completely sync the vault folder
Run CryFS with the same paths:

$cryfs ~/Dropbox/myvault mountdir

Enter your password, and you'll have access to all your files.

Warning: Never mount the same vault on two devices simultaneously. Always unmount CryFS on one device and wait for cloud sync to complete before mounting on another device. Concurrent access from multiple devices can corrupt your filesystem.

Best practices

Follow these guidelines to keep your data secure:

Password security

Use a strong, unique password (16+ characters recommended)
Store your password in a password manager
Never share your password or store it in plain text

Backup your configuration

The cryfs.config file in your vaultdir contains encryption parameters. While your password is the primary key, this file is needed to decrypt your data. If you use cloud storage, it's automatically backed up. Otherwise, consider keeping a separate backup.

Troubleshooting

"mountdir is not empty"

CryFS requires an empty mount directory. Remove any files from mountdir before mounting:

$rm -rf mountdir/*
$cryfs vaultdir mountdir

"Wrong password" but you're sure it's correct

Password verification is case-sensitive. Check that Caps Lock isn't enabled and that your keyboard layout is correct.

Slow performance with large files

CryFS encrypts data in blocks, which can slow down operations on very large files. This is normal and ensures security. If your vault stores mostly large files, you can improve performance by increasing the block size when creating the vault (choose "No" when asked about default settings). However, larger block sizes waste more space when storing small files, so only increase it if you primarily work with large files.

Unmount fails with "device is busy"

Close all applications and terminals that might be accessing files in mountdir, then try again:

$cd ~
$cryfs-unmount mountdir

If unmount still fails, you can force it (use with caution):

$fusermount -uz mountdir

For more help

Check the comparison page for details on CryFS features
Visit our GitHub repository to report issues or ask questions

Next steps

Now that you've set up CryFS, here are some ways to make the most of it:

Automate mounting: Set up scripts to automatically mount your vaults at login
Multiple vaults: Create separate vaults for different purposes (work, personal, etc.)
Explore configuration options: Run cryfs --help to see advanced options for customizing encryption settings

$cryfs --help

Ready to get started?

Download CryFS