2015-10-11 23:57:51 +02:00
|
|
|
GoCryptFS [![Build Status](https://travis-ci.org/rfjakob/gocryptfs.svg?branch=master)](https://travis-ci.org/rfjakob/gocryptfs)
|
|
|
|
==============
|
2015-11-01 12:14:59 +01:00
|
|
|
An encrypted overlay filesystem written in Go.
|
2015-09-06 12:12:14 +02:00
|
|
|
|
2015-10-06 00:31:53 +02:00
|
|
|
gocryptfs is built on top the excellent
|
|
|
|
[go-fuse](https://github.com/hanwen/go-fuse) FUSE library and its
|
|
|
|
LoopbackFileSystem API.
|
2015-09-06 12:12:14 +02:00
|
|
|
|
2015-10-06 00:31:53 +02:00
|
|
|
This project was inspired by [EncFS](https://github.com/vgough/encfs)
|
|
|
|
and strives to fix its security issues (see EncFS tickets 9, 13, 14, 16).
|
2015-11-01 12:14:59 +01:00
|
|
|
For details on the security of gocryptfs see the
|
2015-10-07 23:30:45 +02:00
|
|
|
[SECURITY.md](SECURITY.md) document.
|
2015-09-08 23:09:28 +02:00
|
|
|
|
2015-10-06 23:08:04 +02:00
|
|
|
Current Status
|
|
|
|
--------------
|
2015-11-01 12:14:59 +01:00
|
|
|
* Feature-complete and working
|
2015-10-07 23:30:45 +02:00
|
|
|
* Passes the fuse-xfstests "generic" tests with one exception, results: [XFSTESTS.md](XFSTESTS.md)
|
|
|
|
* A lot of work has gone into this. The testing has found bugs in gocryptfs
|
|
|
|
as well as in go-fuse.
|
2015-11-01 12:14:59 +01:00
|
|
|
* The one exception is generic/035. This is a limitation in go-fuse,
|
2015-10-07 23:30:45 +02:00
|
|
|
check out https://github.com/hanwen/go-fuse/issues/55 for details.
|
|
|
|
* However, gocryptfs needs more real-world testing - please report any issues via github.
|
2015-11-01 12:14:59 +01:00
|
|
|
* Only Linux operation has been tested. Help wanted for Mac OS X verification.
|
2015-10-06 23:08:04 +02:00
|
|
|
|
|
|
|
Install
|
|
|
|
-------
|
|
|
|
|
2015-10-11 19:45:03 +02:00
|
|
|
$ go get github.com/rfjakob/gocryptfs
|
2015-10-07 23:30:45 +02:00
|
|
|
|
|
|
|
Use
|
|
|
|
---
|
|
|
|
|
|
|
|
$ mkdir cipher plain
|
2015-10-11 19:45:03 +02:00
|
|
|
$ $GOPATH/bin/gocryptfs --init cipher
|
2015-10-07 23:30:45 +02:00
|
|
|
[...]
|
2015-10-11 19:45:03 +02:00
|
|
|
$ $GOPATH/bin/gocryptfs cipher plain
|
2015-10-07 23:30:45 +02:00
|
|
|
[...]
|
|
|
|
$ echo test > plain/test.txt
|
|
|
|
$ ls -l cipher
|
|
|
|
total 8
|
|
|
|
-rw-rw-r--. 1 user user 33 7. Okt 23:23 0ao8Hyyf1A-A88sfNvkUxA==
|
|
|
|
-rw-rw-r--. 1 user user 233 7. Okt 23:23 gocryptfs.conf
|
2015-10-11 19:45:03 +02:00
|
|
|
$ fusermount -u plain
|
2015-10-06 23:08:04 +02:00
|
|
|
|
2015-11-01 12:14:59 +01:00
|
|
|
Storage Overhead
|
|
|
|
----------------
|
|
|
|
|
|
|
|
* Empty files take 0 bytes on disk
|
|
|
|
* 18 byte file header for non-empty files (2 bytes version, 16 bytes random file id)
|
|
|
|
* 28 bytes of storage overhead per 4kB block (12 byte nonce, 16 bytes auth tag)
|
|
|
|
|
2015-10-06 23:08:04 +02:00
|
|
|
Performance
|
|
|
|
-----------
|
|
|
|
|
2015-11-01 12:14:59 +01:00
|
|
|
* uses openssl through [spacemonkeygo/openssl](https://github.com/spacemonkeygo/openssl)
|
|
|
|
for a 3x speedup compared to `crypto/cipher` (see [go-vs-openssl.md](openssl_benchmark/go-vs-openssl.md) for details
|
2015-09-06 12:16:34 +02:00
|
|
|
|
2015-10-06 00:31:53 +02:00
|
|
|
Run `./benchmark.bash` to run the test suite and the streaming read/write
|
2015-10-06 23:20:21 +02:00
|
|
|
benchmark. The benchmark is run twice, first with native Go crypto and
|
|
|
|
second using openssl.
|
2015-09-06 12:12:14 +02:00
|
|
|
|
|
|
|
The output should look like this:
|
|
|
|
|
2015-10-06 00:31:53 +02:00
|
|
|
$ ./benchmark.bash
|
|
|
|
[...]
|
|
|
|
BenchmarkStreamWrite 100 11816665 ns/op 88.74 MB/s
|
|
|
|
BenchmarkStreamRead 200 7848155 ns/op 133.61 MB/s
|
|
|
|
ok github.com/rfjakob/gocryptfs 9.407s
|
|
|
|
|
2015-11-01 01:32:33 +01:00
|
|
|
Changelog
|
|
|
|
---------
|
|
|
|
|
|
|
|
v0.3 (in progress)
|
|
|
|
* Add file header that contains a random id to authenticate blocks
|
|
|
|
* This is an on-disk-format change
|
|
|
|
|
|
|
|
v0.2
|
|
|
|
* Replace bash daemonization wrapper with native Go implementation
|
|
|
|
* Better user feedback on mount failures
|
|
|
|
|
|
|
|
v0.1
|
|
|
|
* First release
|
|
|
|
|
|
|
|
See https://github.com/rfjakob/gocryptfs/releases for the release dates
|
|
|
|
and associated tags.
|