libgocryptfs/Documentation/SECURITY.md

GoCryptFS Security
==================

Master Key Storage
------------------

The master key is used to perform content and file name encryption.
It is stored in `gocryptfs.conf`, encrypted with AES-256-GCM using the
Key Encryption Key (KEK).

The KEK is generated from the user password using `scrypt`.

![](https://rawgit.com/rfjakob/gocryptfs/master/Documentation/master-key.svg)

File Contents
-------------

All file contents are encrypted using AES-256-GCM.

Files are segmented into 4KB blocks. Each block gets a fresh random
96 bit IV each time it is modified. A 128-bit authentication tag (GHASH)
protects each block from modifications.

Each file has a header containing a random 128-bit file ID. The
file ID and the block number are mixed into the GHASH as
*additional authenticated data*. The prevents blocks from being copied
between or within files.

![](https://rawgit.com/rfjakob/gocryptfs/master/Documentation/file-content-encryption.svg)

To support sparse files, all-zero blocks are accepted and passed through
unchanged.

File Names
----------

Every directory gets a 128-bit directory IV that is stored in each
directory as `gocryptfs.diriv`.

File names are encrypted using AES-256-CBC with the directory IV as
initialization vector. The Base64 encoding limits the usable filename length
to 176 characters.

![](https://rawgit.com/rfjakob/gocryptfs/master/Documentation/file-name-encryption.svg)
Split off SECURITY.md 2015-10-06 23:20:21 +02:00			`GoCryptFS Security`
			`==================`

Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`Master Key Storage`
			`------------------`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`The master key is used to perform content and file name encryption.`
			It is stored in `gocryptfs.conf`, encrypted with AES-256-GCM using the
			`Key Encryption Key (KEK).`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			The KEK is generated from the user password using `scrypt`.
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`![](https://rawgit.com/rfjakob/gocryptfs/master/Documentation/master-key.svg)`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`File Contents`
			`-------------`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`All file contents are encrypted using AES-256-GCM.`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`Files are segmented into 4KB blocks. Each block gets a fresh random`
			`96 bit IV each time it is modified. A 128-bit authentication tag (GHASH)`
			`protects each block from modifications.`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`Each file has a header containing a random 128-bit file ID. The`
			`file ID and the block number are mixed into the GHASH as`
			`additional authenticated data. The prevents blocks from being copied`
			`between or within files.`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`![](https://rawgit.com/rfjakob/gocryptfs/master/Documentation/file-content-encryption.svg)`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`To support sparse files, all-zero blocks are accepted and passed through`
			`unchanged.`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`File Names`
			`----------`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`Every directory gets a 128-bit directory IV that is stored in each`
			directory as `gocryptfs.diriv`.
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Show base64 encoding in filename encryption svg 2015-12-04 22:26:50 +01:00			`File names are encrypted using AES-256-CBC with the directory IV as`
			`initialization vector. The Base64 encoding limits the usable filename length`
			`to 176 characters.`
Split off SECURITY.md 2015-10-06 23:20:21 +02:00
Cut down the text in SECURITY.md, add graphs 2015-12-01 23:02:12 +01:00			`![](https://rawgit.com/rfjakob/gocryptfs/master/Documentation/file-name-encryption.svg)`