Vaults

Vaults is a GTK4 graphical frontend for creating and managing encrypted vaults on Linux, using battle-tested FUSE-based encryption tools — gocryptfs or CryFS — as the backend. The interface distils vault management down to three operations: create, mount, and unmount, so encrypted storage is accessible to anyone without needing to touch the terminal. Because the encrypted data is stored as individual encrypted files rather than a single container, it syncs cleanly with cloud storage services like Dropbox or any rsync-based workflow.

Features

• Two encryption backends — Choose between gocryptfs (fast, filename-encrypting, widely audited) or CryFS (designed specifically for cloud sync, obfuscates directory structure and file sizes).
• Simple vault management — Create, mount, and unmount vaults through a clean GTK4 interface without touching the command line.
• Password protection — Each vault is secured with a password; no keyfiles or complex setup required.
• Cloud-sync friendly — Encrypted data is stored as individual files, making it compatible with Dropbox, Nextcloud, rclone, and rsync.
• Local and removable storage — Works with home directories, USB drives, and SD cards — anywhere gocryptfs or CryFS can write.
• GNOME integration — Follows system light/dark theme via libadwaita; integrates naturally into the GNOME desktop.
• Flatpak sandboxed — Ships as a Flatpak for safe, self-contained installation with no system library conflicts.

Installation

The recommended installation method is Flatpak via Flathub:

# Install from Flathub (recommended)
flatpak install flathub io.github.mpobaschnig.Vaults

You must also install at least one encryption backend separately. Vaults itself provides no encryption — it is a frontend only:

# Debian / Ubuntu — install one or both backends
sudo apt install gocryptfs
sudo apt install cryfs

# Fedora
sudo dnf install gocryptfs
sudo dnf install cryfs

# macOS
brew install gocryptfs
brew install cryfs

# Arch Linux
sudo pacman -S gocryptfs
sudo pacman -S cryfs

# Nix
nix-env -iA nixpkgs.vaults

On Debian and Fedora, gocryptfs is available in the standard repositories and is the simpler choice for local or USB vaults. cryfs is the better option if you plan to sync your vault with a cloud storage provider.

Usage

Creating a vault

Launch Vaults and click the + button to create a new vault. You will be prompted to:

1. Choose a name for the vault.
2. Select an encryption backend (gocryptfs or CryFS).
3. Pick an encrypted directory — where the scrambled files will live (e.g. inside a Dropbox folder or on a USB drive).
4. Pick a mount point — an empty directory where the decrypted contents will appear when the vault is open.
5. Set a password.

# Manually create the directories before opening Vaults if they don't exist
mkdir -p ~/Dropbox/my-vault-encrypted
mkdir -p ~/my-vault-unlocked

Mounting and unmounting

Click Unlock next to a vault, enter the password, and the decrypted files appear at the mount point. Click Lock to unmount and re-encrypt. Files written to the mount point are encrypted on the fly and stored in the encrypted directory.

Running Vaults from the terminal

# If installed via Flatpak
flatpak run io.github.mpobaschnig.Vaults

Choosing a backend

gocryptfs is the right default for most users — it is faster and its encrypted filenames map one-to-one with plaintext files, which makes incremental sync efficient. CryFS is the better choice when you want to hide metadata (directory tree, file sizes) from a cloud provider, or when you are storing highly sensitive documents and want full structural deniability.

Security notes

• Vaults is a convenience frontend — the security guarantees come entirely from gocryptfs or CryFS, both of which have undergone independent security audits.
• Always keep a backup of your encrypted directory. If the encrypted data is corrupted (e.g. a failed disk), there is no recovery without a backup.
• The mount point should be an empty directory that only exists while the vault is unlocked; do not store other files there.
• Use a strong, unique password. Neither backend stores a recovery key by default.