EncFs insecure, what to use now

security encryption cloud dropbox encfs

As I write this, there seem to be quite a few open source tools similar to encfs (but more "modern" than encfs) that could be able to encrypt files in a "cloud friendly" way (i.e. providing per-file encryption, keeping modification times, and so on).

Most of them are fine if you are using only Ubuntu or any other Linux system (ecryptfs seems good), but things become difficult if you require interoperability with other OSes and mobile devices, as most of us is expecting nowadays.

Just to name a few:

  • Cryptomator seems to be the only one that works "everywhere", from any GNU/Linux OS to Android. There's even a PPA for Ubuntu and binaries for several other distros and OSes.
  • ecryptfs works only on GNU/Linux systems (like Ubuntu, but also ChromeOS), and it's nice if you won't need to access your files from non-Linux OSes, but people say there may be some problems with cloud sync tools.
  • CryFS it's a young solution, works only on Linux for now, but there are plans to port it to MacOS and Windows as well. Maybe it worths some attention in the future.

You may find also interesting this comparison of tools from the CryFS website.


In 2019, CryFS and gocryptfs are the best candidates in my opinion. Both were designed for the Cloud, are actively developed, and have no known security issues.

Their design differs, which has pros and cons:

CryFs hides meta-data (e.g., file sizes, directory structures), which is a nice property. To achieve it, CryFs stores all files and directory information in fixed size blocks, which comes with a performance cost.

In contrast, gocrytfs is closer to the design of EncFs (for each plain text file, there is one encrypted file). It is primarily concerned about the confidentiality of the file content and does not have such strong protection against leaking meta information. Like EncFs, it also supports reverse mode, which is useful for encrypted backups.

Overall, the design of CryFs has the edge in terms of confidentiality and tamper resistance. On the other hand, gocrypts has practical advantages (performance, support for reverse mode).

Both systems are relatively new. In terms of transparency, both are open source projects. gocryptfs had an independent security audit in 2017. CryFs did not have such an audit, but the design has been developed and proven in a master thesis and a paper has been published.

What about the others?

EncFS is discouraged because of the unresolved security issues. It is unsafe if the attacker gets access to previous versions of files (which will be the case when you store data on the Cloud). Also it leaks meta information like file sizes. There is a thread about the plans for version 2, but there are no signs that it will happen in the near future. The original EncFs developer has recommended gocryptfs.

eCryptfs has seen a lack of support recently. In Ubuntu, the installer no longer support ecryptfs encrypted /home directories. Instead they recommend full disk encryption based on LUKS. In addition, eCryptFs has been designed for local disks, not Cloud storage, so I would not recommend it.

VeraCrypt (successor of TrueCrypt) has a good reputation from a security standpoint, but it is not Cloud friendly, as everything is stored in one big file. That will make syncing slow. However, on a local filesystem, this is no concern, which makes it an excellent candidate there.

There is a nice comparison of all these tools on the CryFs homepage (looking at core features). Similarly, there is also an extensive comparison of those four plus cryptomator and securefs on the gocryptfs documentation (looking at technical specs, performance, compatibility etc.).


The conclusion in the link sums it up:

  1. Conclusion

In conclusion, while EncFS is a useful tool, it ignores many standard best-practices in cryptography. This is most likely due to it's old age (originally developed before 2005), however, it is still being used today, and needs to be updated.

The EncFS author says that a 2.0 version is being developed 1. This would be a good time to fix the old problems.

EncFS is probably safe as long as the adversary only gets one copy of the ciphertext and nothing more. EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times. EncFS attempts to protect files from malicious modification, but there are serious problems with this feature.

So the question you need to answer: How likely is it that an attacker can get hold of the ciphertext?

But that audit is from 2014 and was done on v1.7. v1.8 already fixes some of the issues mentioned in the audit:

The first EncFS 1.8 release candidate fixes two of the potential vulnerabilities mentioned in the security audit and brings a few other improvements:

  • improve automatic test converage: also test reverse mode (make test)
  • add per-file IVs based on the inode number to reverse mode to improve security
  • add automatic benchmark (make benchmark)
  • compare MAC in constant time
  • add --nocache option

v1.8 came out in 2014 too.

From the project page:

Status

Over the last 10 years, a number of good alternatives have grown up. Computing power has increased to the point where it is reasonable to encrypt the entire filesystem of personal computers (and even mobile phones!). On Linux, ecryptfs provides a nice dynamically mountable encrypted home directory, and is well integrated in distributions I use, such as Ubuntu.

EncFS has been dormant for a while. I've started cleaning up in order to try and provide a better base for a version 2, but whether EncFS flowers again depends upon community interest. In order to make it easier for anyone to contribute, it is moving a new home on Github. So if you're interested in EncFS, please dive in!

That is from 2013... I would consider the project dead if that was the latest news.

But it does list ecryptfs as an alternative for Ubuntu so have a look at that.


gocryptfs is a new alternative. Performance comparisons are available. The encfs developer speaks positively about it.

Related

Is it possible to unset root password?
Using DKIM in my server for multiple domains (websites)
Exit terminal after running a bash script
How do I zip up multiple files on command line?
How do I disable fetching of DEP-11 files
Performance impact of running different filesystems on a single Linux server
What is the rationale for a minimum password age?
Nagios - new user doesn't get enabled permissions
How to resolve problems with spf / softfail?
How should I select the port number for a new tool?
autossh does not kill ssh when link down
AWS CloudFormation returning "Invalid request" when trying to create a AWS::Route53::RecordSet