Re-design of the original gocryptfs code to work as a library.
3a2610a141
This fixes relative symlinks: $ tar xf linux-4.2.tar.gz tar: linux-4.2/tools/testing/selftests/powerpc/vphn/vphn.h: Cannot utime: No such file or directory tar: linux-4.2/tools/testing/selftests/powerpc/vphn/vphn.c: Cannot utime: No such file or directory tar: linux-4.2/tools/testing/selftests/powerpc/stringloops/memcmp_64.S: Cannot utime: No such file or directory tar: linux-4.2/tools/testing/selftests/powerpc/primitives/word-at-a-time.h: Cannot utime: No such file or directory tar: linux-4.2/tools/testing/selftests/powerpc/primitives/asm/asm-compat.h: Cannot utime: No such file or directory tar: linux-4.2/tools/testing/selftests/powerpc/copyloops/memcpy_power7.S: Cannot utime: No such file or directory tar: linux-4.2/tools/testing/selftests/powerpc/copyloops/memcpy_64.S: Cannot utime: No such file or directory tar: linux-4.2/tools/testing/selftests/powerpc/copyloops/copyuser_power7.S: Cannot utime: No such file or directory tar: linux-4.2/tools/testing/selftests/powerpc/copyloops/copyuser_64.S: Cannot utime: No such file or directory tar: linux-4.2/arch/powerpc/boot/dts/include/dt-bindings: Cannot utime: No such file or directory tar: linux-4.2/arch/mips/boot/dts/include/dt-bindings: Cannot utime: No such file or directory tar: linux-4.2/arch/metag/boot/dts/include/dt-bindings: Cannot utime: No such file or directory tar: linux-4.2/arch/arm64/boot/dts/include/dt-bindings: Cannot utime: No such file or directory tar: linux-4.2/arch/arm/boot/dts/include/dt-bindings: Cannot utime: No such file or directory tar: Exiting with failure status due to previous errors |
||
---|---|---|
cluefs_frontend | ||
cryptfs | ||
openssl_benchmark | ||
pathfs_frontend | ||
.gitignore | ||
main_benchmark.bash | ||
main_test.go | ||
main.go | ||
README.md |
GoCryptFS
A minimal encrypted overlay filesystem written in Go.
Inspired by EncFS.
GoCryptFS at the moment has two FUSE frontends:
- The go-fuse FUSE library using its LoopbackFileSystem API
- The FUSE library bazil.org/fuse plus the ClueFS loopback filesystem
A frontend is selected on compile-time by setting USE_CLUEFS
to true or false
(default false).
Once I decide that one works better for GoCryptFS, the other one
will go away.
Design
- Authenticated encryption of file contents using AES-GCM-128
- Because GCM handles blocks of arbitrary size, there is no special handling for the last file block
- 4096 byte blocks per default
- 28 bytes of overhead per block (16 bytes auth tag, 12 byte nonce)
- uses openssl through spacemonkeygo/openssl
for a 3x speedup compared to
crypto/cipher
(see go-vs-openssl.md) for details - Per-write unique 96 bit nonces
- starts from a random value (generated at mount time) and counts up
- Flename encryption using AES-CBC-128
- Padded to 16-byte blocks acc. to RFC5652 section 6.3
- base64 encoded acc. to RFC4648 section 5
Current Status
Not ready for anything but testing and debugging
- File and directory creation and deletion works
- Thread-safe nonce generation works
- Filename and content encryption works
- Key is set to static all-zero
- Reading and writing works
- Streaming performance is already reasonable
- But we should be able to get another 50% speedup
- Symlinks and hard links not yet implemented
- Memory usage is insane
Install
go get github.com/rfjakob/gocryptfs
Testing
Run ./main_benchmark.bash
to run the test suite and the streaming read/write
benchmark.
The output should look like this:
$ ./main_benchmark.bash
+ go build
+ go test -bench=.
PASS
BenchmarkStreamWrite 100 14062281 ns/op 74.57 MB/s
BenchmarkStreamRead 100 11267741 ns/op 93.06 MB/s
ok github.com/rfjakob/gocryptfs 7.569s