[Guide] My Encryption Setup for Cloud-Stored Vaults

…There’s a nice bonus here, which is that you can store basically anything in the vault, in addition to obsidian vaults!


Hello. I’ve been strenuously trying to figure out a way to encrypt my notes, so that I can feel free to write down more sensitive information (e.g. password hints) if I want–not to mention preventing any cloud provider (in my case OneDrive) from potentially snooping on my stuff.

I hope this post helps out others wanting a convenient method of encrypting their stuff.

First off, I want to give props to this article for seeding the initial idea: My Cloud-Based Obsidian Encryption Setup · Avi Aryan

It’s great and all, however there was a drawback to that solution for me personally: It’s not automated; you have to manually enter in the command and password every single time. What if I just want to click on Obsidian and have everything ready?

My Scenario also includes the fact that my PC uses Windows, whereas my laptop uses Linux (I use Arch btw :wink: )


For the Windows setup, it was easy. When you visit the gocryptfs github page, it contains a link to cppcryptfs, which is the Windows Edition of gocryptfs, and is interoperable. It comes with a simple to use GUI.

It also comes with secure password saving, and automounting options.

  • You’ll probably want to add the cppcryptfs application to your autostart list, so that you don’t have to manually launch the application to then have it automount.

For Linux however, I had to get creative, since there wasn’t an easy pre-made solution.

I MAKE USE OF GNOME-KEYRING, THERE ARE OTHER SOLUTIONS FOR STORING PASSWORDS, BUT I’M A GNOME USER SO I CHOSE THIS.

  • This solution makes use of onedriver, and assumes it is already fully configured.
  • This solution should walk you though step by step, but assumes you have knowledge in working with Linux, and can substitute strings and file paths comfortably while reading. Please let me know if I didn’t make something clear enough.

Retrieving Passwords from Gnome Keyring

We first need to store a password in a secure location (which is unlocked for use on user login), and retrieve it for use with gocryptfs. In my case, I have GNOME Keyring,

Steps

  1. secret-tool store --label="Label" password gocryptfs_vault_name
    • It will prompt you for the password.
    • “password” is the name of the attribute you want to store, it’s completely arbitrary.
    • “gocryptfs_vault_name” is the lookup key. It is also an arbitrary name (should be unique) to allow you to pull the secret password back out.
  2. We’ll input this command into the next section. You can run it right away if you want, but it isn’t strictly necessary:
    gocryptfs --extpass "secret-tool lookup secret password" crypt mountpoint

Systemd Automount from OneDrive

We’ll then automount and unlock our gocryptfs vault from Onedrive, upon user login, using systemd’s user unit files.

Because I’m using a network mounted location, /bin/sleep is used to delay the start of the process to allow for proper mounting of the location to decrypt. There may be a better solution…please let me know if there is a “cleaner” solution to this.

Steps

  1. Ensure your password is already stored, as per the last section.
  2. Create a user unit file: (in ~/.config/systemd/user/) (any name you want…)
    • Description can be anything you want.
    • Note well that when using relative paths in user unit files, it’s relative to your home directory ~. If you’re uncomfortable you can use absolute paths.
[Unit]
Description=Auto-Mount Encrypted Vault from OneDrive
[email protected]
[email protected]

[Service]
Type=forking
ExecStartPre=/bin/sleep 10
ExecStart=gocryptfs --extpass="secret-tool lookup password gocryptfs_vault_name" path/to/cloud/vault path/to/unlocked/vault

[Install]
WantedBy=default.target
  1. Enable: systemctl --user enable service_name.service

You can also optionally systemctl --user start service_name.service, unless you already ran the gocryptfs command listed earlier in isolation.

That’s it. With this, you’ll have an automatically mounted, encrypted-at-rest solution in the cloud. When you mount it, you can mount it locally, so the cloud never sees anything but the encrypted form.

Again, hope this helps someone. Do please leave feedback if there’s anything I did wrong for can improve upon. I did ensure to test this solution and use it for myself before I made this write-up.

Forgot to post one drawback: so far as I know, if you’re a non-rooted android user, or an iOS/iPadOS user, there is no way to access or decrypt the vault from those devices.