diff --git a/Documentation/SECURITY.md b/Documentation/SECURITY.md
index 003eadb..dff2fab 100644
--- a/Documentation/SECURITY.md
+++ b/Documentation/SECURITY.md
@@ -15,7 +15,7 @@ The KEK is generated from the user password using `scrypt`.
File Contents
-------------
-All file contents are encrypted using AES-256-GCM.
+All file contents are encrypted using AES-256-GCM (Galois/Counter Mode).
Files are segmented into 4KB blocks. Each block gets a fresh random
96 bit IV each time it is modified. A 128-bit authentication tag (GHASH)
@@ -37,8 +37,11 @@ File Names
Every directory gets a 128-bit directory IV that is stored in each
directory as `gocryptfs.diriv`.
-File names are encrypted using AES-256-CBC with the directory IV as
-initialization vector. The Base64 encoding limits the usable filename length
-to 176 characters.
+File names are encrypted using AES-256-EME (ECB-Mix-ECB wide-block encryption,
+see https://github.com/rfjakob/eme for details) with the directory IV
+as initialization vector. EME fixes the prefix leak that occours with CBC
+encryption.
+
+The Base64 encoding limits the usable filename length to 176 characters.
diff --git a/Documentation/file-name-encryption.svg b/Documentation/file-name-encryption.svg
index 4093f24..45222e2 100644
--- a/Documentation/file-name-encryption.svg
+++ b/Documentation/file-name-encryption.svg
@@ -149,9 +149,9 @@
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
- inkscape:zoom="1.979899"
- inkscape:cx="299.54034"
- inkscape:cy="65.144047"
+ inkscape:zoom="2.8"
+ inkscape:cx="290.22759"
+ inkscape:cy="52.741737"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="true"
@@ -186,7 +186,7 @@
image/svg+xml
-
+
@@ -267,7 +267,7 @@
id="tspan4157-3-0-7-6-8"
x="316.79153"
y="309.39807"
- style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:15.00342369px;font-family:sans-serif;-inkscape-font-specification:sans-serif;letter-spacing:0px">AES-256-CBC
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:15.00342369px;font-family:sans-serif;-inkscape-font-specification:sans-serif;letter-spacing:0px">AES-256-EME
IV
/dev/null
-RM: rm -rf linux-3.0
+LS: ls -lR linux-3.0 > /dev/null
+RM: rm -Rf linux-3.0
VERSION UNTAR LS RM
v0.4 48 1.5 5
v0.5-rc1 56 7 19
v0.5-rc1-1 54 4.1 9
-v0.5-rc1-2 45 1.7 3.4
+v0.5-rc1-2 45 1.7 3.4
+v0.6 47 1.8 4.3
diff --git a/README.md b/README.md
index 4f48383..668da6b 100644
--- a/README.md
+++ b/README.md
@@ -6,10 +6,10 @@ gocryptfs is built on top the excellent
[go-fuse](https://github.com/hanwen/go-fuse) FUSE library and its
LoopbackFileSystem API.
-This project was inspired by [EncFS](https://github.com/vgough/encfs)
-and strives to fix its security issues (see EncFS tickets 9, 13, 14, 16).
+This project was inspired by EncFS and strives to fix its security
+issues while providing good performance.
For details on the security of gocryptfs see the
-[SECURITY.md](Documentation/SECURITY.md) document.
+[SECURITY.md](Documentation/SECURITY.md) design document.
Current Status
--------------
@@ -97,6 +97,17 @@ The output should look like this:
Changelog
---------
+v0.6
+* **Wide-block filename encryption using EME + DirIV**
+ * EME (ECB-Mix-ECB) provides even better security than CBC as it fixes
+ the prefix leak. The used Go EME implementation is
+ https://github.com/rfjakob/eme which is, as far as I know, the first
+ implementation of EME in Go.
+ * This is a forwards-compatible change. gocryptfs v0.5 can mount filesystems
+ created by earlier version but not the other way round.
+* New command-line option:
+ * `-emenames`: Enable EME filename encryption (default true)
+
v0.5
* **Stronger filename encryption: DirIV**
* Each directory gets a random 128 bit file name IV on creation,