comparison between cryfs[1] and other solutions is here[2].
currently,zuluMount-gui[3] is the only project that offers a GUI solution for unlocking cryfs volumes.
[1] https://github.com/cryfs/cryfs
cryfs's whole USP -- and I don't know any other tool that has it so it really is a USP -- is the metadata hiding, while retaining size flexibility.
however, I've evaluated my use (most financial and medical documents, emails, etc), and I find their examples of how metadata can hit you to be completely irrelevant to me, even if I were storing these files in the cloud (which I am not -- my cloud backups are all borg backups).
I still recommend gocryptfs for now, seeing that their own "comparison" page https://www.cryfs.org/comparison says:
> The main drawback of CryFS is that it is relatively new. The current version is not considered stable yet by the developers and if you decide to use it, regular backups are strongly recommended
But I'm sure it's a good one to keep an eye on for future.
Vaults can use several backends for the encryption.
There are versions of all the tools mentioned for various operating systems. However, security gaps were discovered in EncFS a few years ago, which have not yet been completely fixed. In my opinion, EncFS is therefore out of the question. Especially as the tool only encrypts the file content but not, for example, the name.
Its my preferred backend and i use it windows and linux. I have not experienced any issues with it.
For cloud storage, cryfs seems to be best since it hides the most things(files sizes and directory structures). It does this by storing user data in same size chunks of encrypted blocks. Its downside is that it currently doesnt work on windows.
Second best is securefs. It exposes files sizes but can hide directory structures when its used in its "full format".
securefs in its default format(lite format) is more or less like encfs,ecryptfs,gocryptfs in a sense that the only thing they hide is file contents and file names.
For a solution that works on all 3 platforms, i would order them as follows interms of hiding the most.
There is a GUI application on windows that can manage gocryptfs volumes and its called cppcryptfs
Cryptomator was already mentioned, but it is not FOSS.
CryFS, in contrast, is Open Source and its security was proven in Master Thesis of the author.
File encryption can help with that. If you want to go for max privacy and minimal data metadata leakage, there's cryfs, although it has performance problems in a lot of scenarios.
Other hosts than Google mentioned in other comments are probably still a good idea.
it turns out CryFS
is exactly what I was looking for, here's a comparison amongst other to EncFS
https://www.cryfs.org/comparison
EDIT also it seems that EncFS
has a security flaw that hasn't been patched yet
The CryFS sites names some of the issues. Of course they say use CryFS.
I knew about the "encrypts each file so the file structure can be seen" but not the others. I guess that's why KDE added CryFS support and made it the default.
I've been using CryFS with Dropbox recently, it works pretty well. Here is a comparison (written by the people behind CryFS) of different encryption software for cloud storage. Veracrypt is great, but not friendly with cloud storage sync software, as you mentioned, one small change in a Veracrypt volume means the entire container has to be re-uploaded. Many of the options on that comparison avoid that problem.
I think CryFS was created for this purpose exactly. It also hides the number of files and their individual sizes. I think it also somehow deals with the problem of sharing only some subset of the encrypred content, though I didn't get to that part in author's paper
Well, I do it with my Linux machines and a Mac. So I guess you can also do that with Windows. You need to install CryFS on Windows (https://www.cryfs.org/#download) and then run:
cryfs myvault.enc ~/Vaults/myvault
to mount it. I have myvault.enc
shared with Dropbox between my machines.
Depending on which encryption software and what is your threat model. Metadata like file dates, directory structure and sizes can be used to identify files such as pirated games. There is CryFS https://www.cryfs.org/ as a solution but performance is awful with it
This thread on AskUbuntu (Kubuntu) has an option for how the vaults are configured.
https://askubuntu.com/questions/1135704/how-to-move-a-kde-vault
Config is ~/.config/plasmavaultrc
and the actual data for the vault is kept in ~/.local/share/plasma-vault
You can copy over the config file (editing it for username, etc) and you may have to copy the .local
folders as well, depending. I'm not sure if a nextcloud integration will work super well, but CryFS claims that's what it is designed to do.
After changing the .config
you'll need to logout and log back in.
Edit: I talk a little past your question, but hopefully something in there still proves useful!
cryfs ticks all the boxes for me.
but Tomb is also really cool and has plenty plugin-ability, like the plugin for pass
to keep your password database in a tomb, and the steganographic encrypt/decrypt key.
​
There is no special reason why cryptsetup
(the userspace tool for working with dm_crypt
) can't be used on a fuse filesystem, either, but you get the same trouble as you would with any other container-fs which is that the whole container has to be synced and not just your cipher-files.
​
If you're on Windows, or need to interoperate with Windows, I can't help you. I refuse to use it and have turned down jobs because they wouldn't let me use an alternative.
IMO, rclone’s encryption needs some improvement. No salt + encrypted file sizes within 16 bytes (IIRC) of the original files. So it would be pretty easy for google to figure out what the encrypted content is (your file sizes + upload pattern could be correlated with others’ patterns, especially if using something like Radarr/Sonarr. And no salt makes it that much easier). And since probably not everyone encrypts, they’ll know what the content is pretty easily. So them knowing the contents of the file + not being able to dedupe it would be pretty annoying on their end since all it does is raise their costs. I don’t want this GSuite + Plex party to end anytime soon, and I honestly think it would be better to not encrypt (with rclone) large media files that others are likely to have on gdrive/teamdrive.
That said, I wonder if FUSE file systems could be stacked easily. If yes, it would be better to stack rclone with something like CryFS. Would be a much more secure and private solution than rclone’s implementation currently offers.
cryfs could solve part of your puzzle.
It encrypts files locally, hiding contents, filenames and filesizes and mounts a decrypted folder in your fs.
The encrypted storage is file level based as opposed to block level based and it gets rid of the file structure and file size by chunking everything into same-sized chunks.
I can't recommend it yet, since I only found it today after some searching, but it looks like a promising solution.
The reason I'm going to try it out are that almost all other per file based encryption solutions seem to leak filesizes and/or directory structure or are closed source(Resilio) and the alternative of using network mounted block based storage and encrypting it with luks seems quite tedious to set up.
I use cryfs to keep sensitive data on Dropbox. So far it seems to work very well. I assume it would well for a NAS as well. The decrypted mount is time limited so I do not have to remember to unmount it.
According to this answer if you use Dropbox then it will perform a binary diff on the volume and send what's been changed. You'd still need that initial 1.2 tb upload though! If you use something else though such as Google Drive, then your initial fear remains - the whole volume would need to be uploaded.
If you want to play it safe and stick to multiple files for easier syncing - you can also have a look at cryfs which does allow for split files. They've also got a comparison page which is of course in favor of cryfs but also talks about encfs and ecryptfs which are similar.
No, just went through the steps in the tutorial here https://www.cryfs.org/tutorial
The only thing that threw me off was when you delete a file from the folder, the encrypted folder wouldn't change. Same amount of files, and folder size. Figured out if you want to really get rid of the files, you have to empty the trash bin.
I was going to have a play with CryFS, https://www.cryfs.org/comparison as like you the storage limits on ACD make it interesting for a number of things but I don't really like the idea of the data sitting on someone elses cloud unencrypted.
Need to build a VM first though as the machine I'd want to mount from is only a container and would have issues with FUSE
take a look at CryFS with SiriKali as CryFS-Gui or CrococryptMirror