Add missing options to man page and reorganize it

This commit is contained in:
benrubson 2017-08-05 13:12:38 +02:00
parent 9e394a46c0
commit dd42f97e43

View File

@ -16,12 +16,13 @@ encfs - mounts or creates an encrypted virtual filesystem
=head1 SYNOPSIS =head1 SYNOPSIS
B<encfs> [B<--version>] [B<-s>] [B<-f>] [B<-v>|B<--verbose>] B<encfs> [B<--version>] [B<-v>|B<--verbose>] [B<-t>|B<--syslogtag>]
[B<-i MINUTES>|B<--idle=MINUTES>] [B<--extpass=program>] [B<-s>] [B<-f>] [B<--annotate>] [B<--standard>] [B<--paranoia>]
[B<-S>|B<--stdinpass>] [B<--anykey>] [B<--forcedecode>] [B<--reverse>] [B<--extpass=program>] [B<-S>|B<--stdinpass>]
[B<-d>|B<--fuse-debug>] [B<--public>] [B<--no-default-flags>] [B<--anykey>] [B<--forcedecode>] [B<-require-macs>]
[B<--ondemand>] [B<--delaymount>] [B<--reverse>] [B<--standard>] [B<-i MINUTES>|B<--idle=MINUTES>] [B<-m>|B<--ondemand>] [B<--delaymount>]
[B<-o FUSE_OPTION>] [B<--public>] [B<--nocache>] [B<--no-default-flags>]
[B<-o FUSE_OPTION>] [B<-d>|B<--fuse-debug>] [B<-H>|B<--fuse-help>]
I<rootdir> I<mountPoint> I<rootdir> I<mountPoint>
[B<--> [I<Fuse Mount Options>]] [B<--> [I<Fuse Mount Options>]]
@ -42,22 +43,10 @@ may be an increasing number of choices.
=over 4 =over 4
=item B<-i>, B<--idle=MINUTES> =item B<--version>
Enable automatic unmount of the filesystem after a period of inactivity. The Shows B<EncFS> version. Using B<--verbose> before B<--version> may display
period is specified in minutes, so the shortest timeout period that can be additional information.
requested is one minute. B<EncFS> will not automatically unmount if there are
files open within the filesystem, even if they are open in read-only mode.
However simply having files open does not count as activity.
=item B<-f>
The B<-f> (I<foreground>) option causes B<EncFS> to run in the foreground.
Normally B<EncFS> spawns off as a daemon and runs in the background, returning
control to the spawning shell. With the B<-f> option, it will run in the
foreground and any warning/debug log messages will be displayed on standard
error. In the default (background) mode, all log messages are logged via
syslog.
=item B<-v>, B<--verbose> =item B<-v>, B<--verbose>
@ -78,62 +67,31 @@ mode. By default, B<EncFS> runs in multi-threaded mode. This option is used
during B<EncFS> development in order to simplify debugging and allow it to run during B<EncFS> development in order to simplify debugging and allow it to run
under memory checking tools. under memory checking tools.
=item B<-d>, B<--fuse-debug> =item B<-f>
Enables debugging within the B<FUSE> library. This should only be used if you The B<-f> (I<foreground>) option causes B<EncFS> to run in the foreground.
suspect a problem within B<FUSE> itself (not B<EncFS>), as it generates a lot Normally B<EncFS> spawns off as a daemon and runs in the background, returning
of low-level data and is not likely to be very helpful in general problem control to the spawning shell. With the B<-f> option, it will run in the
tracking. Try I<verbose> mode (B<-v>) first, which gives a higher level view foreground and any warning/debug log messages will be displayed on standard
of what is happening within B<EncFS>. error. In the default (background) mode, all log messages are logged via
syslog.
=item B<--forcedecode> =item B<--annotate>
This option only has an effect on filesystems which use MAC block headers. By Print annotation lines to stderr during configuration.
default, if a block is decoded and the stored MAC doesn't match what is
calculated, then an IO error is returned to the application and the block is
not returned. However, by specifying B<--forcedecode>, only an error will be
logged and the data will still be returned to the application. This may be
useful for attempting to read corrupted files.
=item B<--public> =item B<--standard>
Attempt to make encfs behave as a typical multi-user filesystem. By default, If creating a new filesystem, this automatically selects standard configuration
all FUSE based filesystems are visible only to the user who mounted them. No options, to help with automatic filesystem creation. This is the set of
other users (including root) can view the filesystem contents. The B<--public> options that should be used unless you know what you're doing and have read the
option does two things. It adds the FUSE flags "allow_other" and documentation.
"default_permission" when mounting the filesystem, which tells FUSE to allow
other users to access the filesystem, and to use the ownership permissions
provided by the filesystem. Secondly, the B<--public> flag changes how encfs's
node creation functions work - as they will try and set ownership of new nodes
based on the caller identification.
B<Warning>: In order for this to work, encfs must be run as root -- otherwise When not creating a filesystem, this flag does nothing.
it will not have the ability to change ownership of files. I recommend that
you instead investigate if the fuse allow_other option can be used to do what
you want before considering the use of B<--public>.
=item B<--ondemand> =item B<--paranoia>
Mount the filesystem on-demand. This currently only makes sense in combination Same as =item B<--standard>, but for B<paranoia> mode.
with B<--idle> and B<--extpass> options. When the filesystem becomes idle,
instead of exiting, B<EncFS> stops allowing access to the filesystem by
internally dropping its reference to it. If someone attempts to access the
filesystem again, the extpass program is used to prompt the user for the
password. If this succeeds, then the filesystem becomes available again.
=item B<--delaymount>
Do not mount the filesystem when encfs starts; instead, delay mounting until
first use. This option only makes sense with B<--ondemand>.
=item B<--require-macs>
If creating a new filesystem, this forces block authentication code headers to
be enabled. When mounting an existing filesystem, this causes encfs to exit
if block authentication code headers are not enabled.
This can be used to improve security in case the ciphertext is vulnerable to
tampering, by preventing an attacker from disabling MACs in the config file.
=item B<--reverse> =item B<--reverse>
@ -159,58 +117,6 @@ Now /tmp/plain-view contains the same data as /home/me
Note that B<--reverse> mode only works with limited configuration options, so Note that B<--reverse> mode only works with limited configuration options, so
many settings may be disabled when used. many settings may be disabled when used.
=item B<--nocache>
Disable the kernel's cache of file attributes.
Setting this option makes EncFS pass "attr_timeout=0" and "entry_timeout=0" to
FUSE. This makes sure that modifications to the backing files that occour
outside EncFS show up immediately in the EncFS mount. The main use case
for "--nocache" is reverse mode.
=item B<--standard>
If creating a new filesystem, this automatically selects standard configuration
options, to help with automatic filesystem creation. This is the set of
options that should be used unless you know what you're doing and have read the
documentation.
When not creating a filesystem, this flag does nothing.
=item B<-o FUSE_ARG>
Pass through B<FUSE> args to the underlying library. This makes it easy to
pass FUSE options when mounting B<EncFS> via mount (and /etc/fstab). Eg:
mount encfs#/home/me-crypt /home/me -t fuse -o kernel_cache
Note that encfs arguments cannot be set this way. If you need to set encfs
arguments, create a wrapper, such as encfs-reverse;
#!/bin/sh
encfs --reverse "$@"
Then mount using the script path
mount encfs-reverse#/home/me /home/me-crypt -t fuse
=item B<-->
The B<--> option tells B<EncFS> to send any remaining arguments directly to
B<FUSE>. In turn, B<FUSE> passes the arguments to B<fusermount>. See
the B<fusermount> help page for information on available commands.
=item B<--no-default-flags>
B<Encfs> adds the FUSE flags "use_ino" and "default_permissions" by default, as
of version 1.2.2, because that improves compatibility with some programs. If
for some reason you need to disable one or both of these flags, use the option
B<--no-default-flags>.
The following command lines produce the same result:
encfs raw crypt
encfs --no-default-flags raw crypt -- -o use_ino,default_permissions
=item B<--extpass=program> =item B<--extpass=program>
Specify an external program to use for getting the user password. When the Specify an external program to use for getting the user password. When the
@ -252,6 +158,118 @@ which will not remain the same if the primary password is changed.
B<Warning>: Use this option at your own risk. B<Warning>: Use this option at your own risk.
=item B<--forcedecode>
This option only has an effect on filesystems which use MAC block headers. By
default, if a block is decoded and the stored MAC doesn't match what is
calculated, then an IO error is returned to the application and the block is
not returned. However, by specifying B<--forcedecode>, only an error will be
logged and the data will still be returned to the application. This may be
useful for attempting to read corrupted files.
=item B<--require-macs>
If creating a new filesystem, this forces block authentication code headers to
be enabled. When mounting an existing filesystem, this causes encfs to exit
if block authentication code headers are not enabled.
This can be used to improve security in case the ciphertext is vulnerable to
tampering, by preventing an attacker from disabling MACs in the config file.
=item B<-i>, B<--idle=MINUTES>
Enable automatic unmount of the filesystem after a period of inactivity. The
period is specified in minutes, so the shortest timeout period that can be
requested is one minute. B<EncFS> will not automatically unmount if there are
files open within the filesystem, even if they are open in read-only mode.
However simply having files open does not count as activity.
=item B<-m>, B<--ondemand>
Mount the filesystem on-demand. This currently only makes sense in combination
with B<--idle> and B<--extpass> options. When the filesystem becomes idle,
instead of exiting, B<EncFS> stops allowing access to the filesystem by
internally dropping its reference to it. If someone attempts to access the
filesystem again, the extpass program is used to prompt the user for the
password. If this succeeds, then the filesystem becomes available again.
=item B<--delaymount>
Do not mount the filesystem when encfs starts; instead, delay mounting until
first use. This option only makes sense with B<--ondemand>.
=item B<--public>
Attempt to make encfs behave as a typical multi-user filesystem. By default,
all FUSE based filesystems are visible only to the user who mounted them. No
other users (including root) can view the filesystem contents. The B<--public>
option does two things. It adds the FUSE flags "allow_other" and
"default_permission" when mounting the filesystem, which tells FUSE to allow
other users to access the filesystem, and to use the ownership permissions
provided by the filesystem. Secondly, the B<--public> flag changes how encfs's
node creation functions work - as they will try and set ownership of new nodes
based on the caller identification.
B<Warning>: In order for this to work, encfs must be run as root -- otherwise
it will not have the ability to change ownership of files. I recommend that
you instead investigate if the fuse allow_other option can be used to do what
you want before considering the use of B<--public>.
=item B<--nocache>
Disable the kernel's cache of file attributes.
Setting this option makes EncFS pass "attr_timeout=0" and "entry_timeout=0" to
FUSE. This makes sure that modifications to the backing files that occour
outside EncFS show up immediately in the EncFS mount. The main use case
for "--nocache" is reverse mode.
=item B<--no-default-flags>
B<Encfs> adds the FUSE flags "use_ino" and "default_permissions" by default, as
of version 1.2.2, because that improves compatibility with some programs. If
for some reason you need to disable one or both of these flags, use the option
B<--no-default-flags>.
The following command lines produce the same result:
encfs raw crypt
encfs --no-default-flags raw crypt -- -o use_ino,default_permissions
=item B<-o FUSE_ARG>
Pass through B<FUSE> args to the underlying library. This makes it easy to
pass FUSE options when mounting B<EncFS> via mount (and /etc/fstab). Eg:
mount encfs#/home/me-crypt /home/me -t fuse -o kernel_cache
Note that encfs arguments cannot be set this way. If you need to set encfs
arguments, create a wrapper, such as encfs-reverse;
#!/bin/sh
encfs --reverse "$@"
Then mount using the script path
mount encfs-reverse#/home/me /home/me-crypt -t fuse
=item B<-d>, B<--fuse-debug>
Enables debugging within the B<FUSE> library. This should only be used if you
suspect a problem within B<FUSE> itself (not B<EncFS>), as it generates a lot
of low-level data and is not likely to be very helpful in general problem
tracking. Try I<verbose> mode (B<-v>) first, which gives a higher level view
of what is happening within B<EncFS>.
=item B<-H>, B<--fuse-help>
Shows B<FUSE> help.
=item B<-->
The B<--> option tells B<EncFS> to send any remaining arguments directly to
B<FUSE>. In turn, B<FUSE> passes the arguments to B<fusermount>. See
the B<fusermount> help page for information on available commands.
=back =back
=head1 ENVIRONMENT VARIABLES =head1 ENVIRONMENT VARIABLES