Coming from e.g. TrueCrypt one might be used to using one or multiple key files to encrypt a vault. Those key files plus the password would then be needed for mounting. It would be nice to have key file support in gocryptfs.

(The passfile parameter currently seems too restricted in its semantics and furthermore can only be specified once.)

(A similar idea with proposed algorithm was #78 but in a more specific context and with only one key file.)

What you could currently do is to store the gocryptfs.conf outside the encrypted directory. When mounting, you pass the path via "-config", which is effectively like a (single) keyfile.

Another option/workaround for current versions would be to use the -extpass parameter in combination with a small script that feeds all the input files and other key material into sha256sum or similar. Something like this should work for multiple keyfiles:

keyfiles.sh (use chmod +x):

#!/bin/bash
cat "$@" | sha256sum | cut -f1 -d' '

usage:

gocryptfs -init -extpass "./keyfiles.sh a.txt b.txt" directory

This is only a bit limited due to the fact that -extpass currently does not understand quotes. I'll open another bug report for that.

The issue has been closed, but I can't figure out how to specify a (binary) keyfile?