diff --git a/.ci/asic_create_recipe.sh b/.ci/asic_create_recipe.sh
index 33a85c04dc82ca6ddbe606aa9e3b1f3720e23cc0..d159a2f5bbb54a870ab8172717885d772520fb0f 100755
--- a/.ci/asic_create_recipe.sh
+++ b/.ci/asic_create_recipe.sh
@@ -81,6 +81,9 @@ From: ${DOCKER_BASE_IMAGE}
     # ECM: and now some abspacking
     yum -y install ccache sudo parallel
 
+    # ECM: and userspace mount stuff
+    yum -y install fuse3
+
     # create a fingerprint by which we can identify the container from within
     cat /proc/sys/kernel/random/uuid > /opt/fingerprint
 
@@ -99,7 +102,10 @@ From: ${DOCKER_BASE_IMAGE}
     export CONTAINER_STYLE="${CONTAINER_STYLE}"
     "${SPACK_INSTALL_SCRIPTS}/complete_spack_install_routine_called_in_post_as_root.sh"
     wait
-    "${SPACK_INSTALL_SCRIPTS}/install_singularity_as_root.sh" || \
+    (
+        "${SPACK_INSTALL_SCRIPTS}/install_singularity_as_root.sh" && \
+        "${SPACK_INSTALL_SCRIPTS}/install_gocryptfs_as_root.sh"
+    ) || \
     (
     sudo -Eu spack "${SPACK_INSTALL_SCRIPTS}/preserve_built_spack_packages.sh" &&
         exit 1  # propagate the error
@@ -118,8 +124,8 @@ From: ${DOCKER_BASE_IMAGE}
         unset LC_COLLATE LC_CTYPE LC_MONETARY LC_NUMERIC LC_TIME LC_MESSAGES LC_ALL
     fi
 
-    # python now from conda...
-    PATH=/opt/conda/bin:${PATH}
+    # python now from conda... and gopath/bin (gocryptfs)
+    PATH=/opt/conda/bin:/opt/go/gopath/bin:${PATH}
     # ensure conda sees a clean env
     unset PYTHONHOME
 EOF
diff --git a/.ci/install_gocryptfs_as_root.sh b/.ci/install_gocryptfs_as_root.sh
new file mode 100755
index 0000000000000000000000000000000000000000..ef8d87fedb65556105dbfeaca19960381bba2338
--- /dev/null
+++ b/.ci/install_gocryptfs_as_root.sh
@@ -0,0 +1,30 @@
+#!/bin/bash -lx
+# Install gocryptfs from source; needed for older base images such as Cent OS 7
+# (ASIC container image)
+
+
+set -euo pipefail
+shopt -s inherit_errexit 2>/dev/null || true
+
+sourcedir="$(dirname "$(readlink -m "${BASH_SOURCE[0]}")")"
+source "${sourcedir}/commons.sh"
+source "${sourcedir}/setup_env_spack.sh"
+GOCRYPTFS_REPO="https://github.com/rfjakob/gocryptfs.git"
+
+# go assumed to be provided via install_singularity_as_root.sh; repeat variables
+GO_INSTALL_PATH=/opt/go
+
+# setup environment
+export PATH="${GO_INSTALL_PATH}/go/bin${PATH:+:${PATH}}"
+export GOPATH="${GO_INSTALL_PATH}/gopath"
+
+# build gocryptfs
+# this is a go 1.11-based install flow which probably should be adjusted for
+# modern go (no need to build from source within the gopath folder anymore)
+GOCRYPTFS_INSTALL_PATH="${SPACK_TMPDIR}/gocryptfs"
+git clone "${GOCRYPTFS_REPO}" "${GOCRYPTFS_INSTALL_PATH}"
+
+pushd "${GOCRYPTFS_INSTALL_PATH}"
+# build and install
+./build.bash
+popd
diff --git a/.ci/install_system_dependencies.sh b/.ci/install_system_dependencies.sh
index 28e0a0e7dc09beaa3c9b7b42135f6229737182d2..f0d9e50ff6ea4d4e26f0c083fbf4be4bf840b1a3 100755
--- a/.ci/install_system_dependencies.sh
+++ b/.ci/install_system_dependencies.sh
@@ -19,6 +19,7 @@ system_dependencies=(
         "g++-aarch64-linux-gnu"
         "gcc-aarch64-linux-gnu"
         "gfortran-aarch64-linux-gnu"
+        "gocryptfs"
         "htop"
         "iproute2"
         "iptables"