Gocryptfs Encrypted Vaults
Overview
Gocryptfs provides encrypted directory overlays for sensitive data that doesn’t belong in git-tracked secrets or gopass. Uses AES-256-GCM encryption with scrypt key derivation.
Vault Locations
| Vault | Mount Point | Contents |
|---|---|---|
credentials |
|
API keys, service accounts, tokens |
work-sensitive |
|
Work-related sensitive documents |
network-configs |
|
Network device configurations |
personal |
|
Personal sensitive documents |
Encrypted storage: ~/atelier/_vaults/encrypted/<vault-name>/
Directory Structure
~/atelier/_vaults/
├── encrypted/ # Encrypted ciphertext (safe to backup)
│ ├── credentials/
│ │ ├── gocryptfs.conf
│ │ └── gocryptfs.diriv
│ ├── work-sensitive/
│ ├── network-configs/
│ └── personal/
└── mounted/ # Decrypted plaintext (when mounted)
├── credentials/
├── work-sensitive/
├── network-configs/
└── personal/Security Model
Backup Considerations
Recovery Procedure
Restore Encrypted Vault
Step 1: Restore encrypted directory from backup
rsync -av /mnt/backup/vaults/encrypted/credentials/ \
~/atelier/_vaults/encrypted/credentials/Step 2: Create mount point
mkdir -p ~/atelier/_vaults/mounted/credentialsStep 3: Get passphrase from gopass
gopass show ARCANA/storage/gocryptfs-credentialsStep 4: Mount vault
vault mount credentialsInitial Setup (One-Time)
Create New Vault
Step 1: Create directories
mkdir -p ~/atelier/_vaults/encrypted/newvault
mkdir -p ~/atelier/_vaults/mounted/newvaultStep 2: Initialize encrypted filesystem
gocryptfs -init ~/atelier/_vaults/encrypted/newvaultStep 3: Store passphrase in gopass
gopass insert ARCANA/storage/gocryptfs-newvaultStep 4: Add to vault script
# Edit ~/.local/bin/vault or equivalent to include new vault