GhostFS
Guides

Using TLS

Secure transport with TLS

Using TLS

GhostFS supports TLS for encrypted transport between client and server.

GhostFS can automatically obtain and renew TLS certificates from Let's Encrypt:

ghostfs server \
  --root /data \
  --bind 0.0.0.0 \
  --acme \
  --acme-domain ghostfs.example.com \
  --acme-email admin@example.com

This will:

  • Automatically obtain a certificate from Let's Encrypt
  • Handle certificate renewal automatically
  • No manual certificate management required

Requirements:

  • Port 443 must be accessible from the internet for ACME challenges
  • A valid domain name pointing to your server

Manual TLS Certificates

Self-Signed (Testing Only)

For testing, generate a self-signed certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Using Your Own Certificates

ghostfs server \
  --root /data \
  --bind 0.0.0.0 \
  --key key.pem \
  --cert cert.pem

Client with TLS

ghostfs mount /mnt/remote \
  --host server.local \
  --user alice \
  --token xxx \
  --key key.pem \
  --cert cert.pem

TLS + Client-Side Encryption

For maximum security, combine both:

ghostfs mount /mnt/remote \
  --host server.local \
  --user alice \
  --token xxx \
  --key key.pem \
  --cert cert.pem \
  --encrypt \
  --encryption-key ~/.ghostfs/encryption.key

This gives you:

  • Encrypted transport (TLS)
  • Encrypted data at rest (client-side encryption)

Client-Side Encryption

Enable end-to-end encryption

Reference

Complete GhostFS reference documentation

On this page

Using TLSAuto TLS with Let's Encrypt (Recommended)Manual TLS CertificatesSelf-Signed (Testing Only)Using Your Own CertificatesClient with TLSTLS + Client-Side Encryption