Re-design of the original gocryptfs code to work as a library.
Go to file
Jakob Unterwurzacher 3a2610a141 symlink encryption: pass ".." and "." through unchanged
This fixes relative symlinks:

$ tar xf linux-4.2.tar.gz
tar: linux-4.2/tools/testing/selftests/powerpc/vphn/vphn.h: Cannot utime: No such file or directory
tar: linux-4.2/tools/testing/selftests/powerpc/vphn/vphn.c: Cannot utime: No such file or directory
tar: linux-4.2/tools/testing/selftests/powerpc/stringloops/memcmp_64.S: Cannot utime: No such file or directory
tar: linux-4.2/tools/testing/selftests/powerpc/primitives/word-at-a-time.h: Cannot utime: No such file or directory
tar: linux-4.2/tools/testing/selftests/powerpc/primitives/asm/asm-compat.h: Cannot utime: No such file or directory
tar: linux-4.2/tools/testing/selftests/powerpc/copyloops/memcpy_power7.S: Cannot utime: No such file or directory
tar: linux-4.2/tools/testing/selftests/powerpc/copyloops/memcpy_64.S: Cannot utime: No such file or directory
tar: linux-4.2/tools/testing/selftests/powerpc/copyloops/copyuser_power7.S: Cannot utime: No such file or directory
tar: linux-4.2/tools/testing/selftests/powerpc/copyloops/copyuser_64.S: Cannot utime: No such file or directory
tar: linux-4.2/arch/powerpc/boot/dts/include/dt-bindings: Cannot utime: No such file or directory
tar: linux-4.2/arch/mips/boot/dts/include/dt-bindings: Cannot utime: No such file or directory
tar: linux-4.2/arch/metag/boot/dts/include/dt-bindings: Cannot utime: No such file or directory
tar: linux-4.2/arch/arm64/boot/dts/include/dt-bindings: Cannot utime: No such file or directory
tar: linux-4.2/arch/arm/boot/dts/include/dt-bindings: Cannot utime: No such file or directory
tar: Exiting with failure status due to previous errors
2015-09-16 18:43:07 +02:00
cluefs_frontend Encrypt key with scrypt-hashed password 2015-09-13 22:09:38 +02:00
cryptfs symlink encryption: pass ".." and "." through unchanged 2015-09-16 18:43:07 +02:00
openssl_benchmark readme: link to go-vs-openssl.md 2015-09-06 13:13:47 +02:00
pathfs_frontend Don't warn about "gocryptfs.conf" in the ciphertext root dir 2015-09-13 22:09:48 +02:00
.gitignore Add pathfs frontend (uses go-fuse instead of bazil-fuse), part I 2015-09-08 00:55:03 +02:00
main_benchmark.bash Add streaming read and write benchmarks 2015-09-06 11:42:01 +02:00
main_test.go Add "--zerokey" option to simplify testing and benchmarking 2015-09-15 23:59:57 +02:00
main.go Add "--zerokey" option to simplify testing and benchmarking 2015-09-15 23:59:57 +02:00
README.md Explain both frontends in readme 2015-09-08 23:09:28 +02:00

GoCryptFS

A minimal encrypted overlay filesystem written in Go.

Inspired by EncFS.

GoCryptFS at the moment has two FUSE frontends:

A frontend is selected on compile-time by setting USE_CLUEFS to true or false (default false). Once I decide that one works better for GoCryptFS, the other one will go away.

Design

  • Authenticated encryption of file contents using AES-GCM-128
  • Because GCM handles blocks of arbitrary size, there is no special handling for the last file block
  • 4096 byte blocks per default
  • 28 bytes of overhead per block (16 bytes auth tag, 12 byte nonce)
  • uses openssl through spacemonkeygo/openssl for a 3x speedup compared to crypto/cipher (see go-vs-openssl.md) for details
  • Per-write unique 96 bit nonces
  • starts from a random value (generated at mount time) and counts up
  • Flename encryption using AES-CBC-128
  • Padded to 16-byte blocks acc. to RFC5652 section 6.3
  • base64 encoded acc. to RFC4648 section 5

Current Status

Not ready for anything but testing and debugging

  • File and directory creation and deletion works
  • Thread-safe nonce generation works
  • Filename and content encryption works
  • Key is set to static all-zero
  • Reading and writing works
  • Streaming performance is already reasonable
  • But we should be able to get another 50% speedup
  • Symlinks and hard links not yet implemented
  • Memory usage is insane

Install

go get github.com/rfjakob/gocryptfs

Testing

Run ./main_benchmark.bash to run the test suite and the streaming read/write benchmark.

The output should look like this:

$ ./main_benchmark.bash
+ go build
+ go test -bench=.
PASS
BenchmarkStreamWrite	     100	  14062281 ns/op	  74.57 MB/s
BenchmarkStreamRead 	     100	  11267741 ns/op	  93.06 MB/s
ok  	github.com/rfjakob/gocryptfs	7.569s