Jakob Unterwurzacher 1caa925868 Increase GCM IV size from 96 to 128 bits
This pushes back the birthday bound for collisions to make it virtually
irrelevant.
2015-12-19 15:02:29 +01:00

1.5 KiB

GoCryptFS Security

Master Key Storage

The master key is used to perform content and file name encryption. It is stored in gocryptfs.conf, encrypted with AES-256-GCM using the Key Encryption Key (KEK).

The KEK is generated from the user password using scrypt.

File Contents

All file contents are encrypted using AES-256-GCM (Galois/Counter Mode).

Files are segmented into 4KB blocks. Each block gets a fresh random 128 bit IV each time it is modified. A 128-bit authentication tag (GHASH) protects each block from modifications.

Each file has a header containing a random 128-bit file ID. The file ID and the block number are mixed into the GHASH as additional authenticated data. The prevents blocks from being copied between or within files.

To support sparse files, all-zero blocks are accepted and passed through unchanged.

File Names

Every directory gets a 128-bit directory IV that is stored in each directory as gocryptfs.diriv.

File names are encrypted using AES-256-EME (ECB-Mix-ECB wide-block encryption, see https://github.com/rfjakob/eme for details) with the directory IV as initialization vector. EME fixes the prefix leak that occours with CBC encryption.

The Base64 encoding limits the usable filename length to 176 characters.