gocryptfs icon indicating copy to clipboard operation
gocryptfs copied to clipboard
verified publisher icon rfjakob

documentation: specify mount guarantees when mounting the same cipherdir to multiple locations

Open agorgl opened this issue 3 months ago • 3 comments

When mounting the same cipherdir to multiple locations, what are the data guarantees when trying to write from these multiple locations? I could not find any documentation specifying this (or warning against this kind of usage).

Example follows:

> cd $(mktemp -d)
> mkdir crypt plain1 plain2
> echo secret | gocryptfs -q -init crypt
> echo secret | gocryptfs -q crypt plain1
> echo secret | gocryptfs -q crypt plain2

> echo foo > plain1/foo
> ls -lah plain1
total 4.0K
drwxr-xr-x 2 user user 100 Sep  8 16:56 .
drwx------ 5 user user 100 Sep  8 16:55 ..
-rw-r--r-- 1 user user   4 Sep  8 16:56 foo
> ls -lah plain2
total 4.0K
drwxr-xr-x 2 user user 100 Sep  8 16:56 .
drwx------ 5 user user 100 Sep  8 16:55 ..
-rw-r--r-- 1 user user   4 Sep  8 16:56 foo
> cat plain1/foo
foo
> cat plain2/foo
foo

> echo bar > plain2/bar
> ls -lah plain1
total 8.0K
drwxr-xr-x 2 user user 120 Sep  8 16:58 .
drwx------ 5 user user 100 Sep  8 16:55 ..
-rw-r--r-- 1 user user   4 Sep  8 16:58 bar
-rw-r--r-- 1 user user   4 Sep  8 16:56 foo
> ls -lah plain2
total 8.0K
drwxr-xr-x 2 user user 120 Sep  8 16:58 .
drwx------ 5 user user 100 Sep  8 16:55 ..
-rw-r--r-- 1 user user   4 Sep  8 16:58 bar
-rw-r--r-- 1 user user   4 Sep  8 16:56 foo
> cat plain1/bar
bar
> cat plain2/bar
bar

Everything seems to be working fine (I can write in either plain directory and it appears in the other), but what are the guarantees around this kind of usage? Does it behave like a bind mount, or multiple programs reading/writing to different plain directories that are views of the same encrypted directory can potentially cause a corruption to the data?

agorgl avatar Sep 08 '25 13:09 agorgl

This is safe. The only way to cause corruption is to write to the same file through two mounts at the same time.

rfjakob avatar Sep 30 '25 15:09 rfjakob

A thank you for the clarifications! Any specific details on how writes work on single files that make modifications unsafe from multiple mounts at the same time?

agorgl avatar Sep 30 '25 15:09 agorgl

You could take a look at https://github.com/rfjakob/gocryptfs/issues/754 and the commits in the "cluster" branch. This branch makes writes to the same file safe.

On Tue, 30 Sept 2025, 17:14 Loukas Agorgianitis, @.***> wrote:

agorgl left a comment (rfjakob/gocryptfs#959) https://github.com/rfjakob/gocryptfs/issues/959#issuecomment-3352683753

A thank you for the clarifications! Any specific details on how writes work on single files that make modifications unsafe from multiple mounts at the same time?

— Reply to this email directly, view it on GitHub https://github.com/rfjakob/gocryptfs/issues/959#issuecomment-3352683753, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACGA77MFKHQEKLNVO4WZHD3VKM33AVCNFSM6AAAAACF5RRKMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNJSGY4DGNZVGM . You are receiving this because you commented.Message ID: @.***>

rfjakob avatar Sep 30 '25 15:09 rfjakob