
ECryptfs Security Audit - SaintSal
https://defuse.ca/audits/ecryptfs.htm
======
hadoukenio
I chose eryptfs over TrueCrypt because I wasn't happy with using encryption
software written by an anonymous developer. Was this a naive decision or do
others feel the same?

The audit linked says that it ecryptfs might not have been designed/written by
a cryptographer. What would people recommend these days seeing as TrueCrypt is
likely to be compromised and ecryptfs might not be as secure as it could be?

~~~
tptacek
EcryptFS and Truecrypt are very different systems.

Truecrypt is simulated hardware encryption. It creates a virtual encrypted
hard disk, which your operating system can more or less treat like an ordinary
hard disk, but for the kernel hooks Truecrypt adds to lock and unlock the
disk.

EcryptFS is an encrypted filesystem. Unlike Truecrypt, which encrypts
individual disk blocks, systems like EcryptFS encrypt and decrypt whole files.

All else being equal, you'd prefer an encrypted filesystem to a simulated
encrypted hard disk. Some of the reasons are technical: the crypto involved in
encrypting a block device is crappier than the crypto involved in protecting a
file (most notably, block crypto is typically not authenticated). But at a
higher level, the reason is that you'd like your cryptosystem to have as much
information to work with as possible, and one nice bit of information for it
to have is where files begin and end.

All things are not equal though, and to select EcryptFS over Truecrypt, you
also have to select EcryptFS's design and implementation over Truecrypt's.
Truecrypt's design is simple and has been looked at more carefully than
EcryptFS's. On the other hand, Truecrypt is an XTS cryptosystem, which isn't
great. I would have a hard time making a recommendation between the two.

It's more important that you understand the limitations of transparent disk
encryption. Unless you are pretty regularly telling your crypto software that
it's OK to unlock a given file or disk or whatever, then it's probably "always
on", and your keys are always resident in memory, and your files are more or
less always exposed to malware. Malware is a much scarier threat (for most
people) than police raids.

If you're interested: we work in a pretty high-risk environment (we handle a
lot of hazmat). Our general crypto regime at Matasano is:

* Everyone uses Filevault2's native XTS disk encryption (along with some fiddly rules for what state your machine needs to be in if it's in your bag).

* Everyone uses OS X encrypted DMGs (I don't remember what the block crypto design for DMGs is, but you can check out John the Ripper if you're curious) to isolate different projects; we audit machines to make sure keys aren't in the keyring.

* Everyone uses PGP for email and to encrypt specific files.

If this sounds like a pain in the ass, be aware that this is pretty close to
the minimum viable amount of security you can be providing a mobile device; if
you're skipping one of these steps, you should know why.

~~~
wyager
>All else being equal, you'd prefer an encrypted filesystem to a simulated
encrypted hard disk.

I disagree for these reasons:

1\. This decreases composability. With encrypted filesystems, I can't mix and
match filesystems and cryptosystems to suit my needs. There is no reason they
need to be convolved.

2\. This increases complexity. Now, the person writing the software has to be
an expert in both filesystems and cryptosystems if they want to do a good job.
There is more room for error. (You might say it violates the UNIX philosophy
of "do one thing and do it well".)

3\. This leaks information to an attacker. They know the layout of my files
even without my password. I'm more comfortable with absolutely everything
looking like a giant monolithic block of random data.

~~~
tptacek
There's nothing I can say in response to this comment that I haven't already
said upthread and here:

[http://sockpuppet.org/blog/2014/04/30/you-dont-want-
xts/](http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/)

~~~
wyager
Thanks for the link. Those are some very valid points.

~~~
tptacek
Of course, there's some validity to the "composability" point, which is why we
use both full-disk encryption _and_ encryption at the filesystem layer. I
don't think enabling full-disk encryption is a bad thing. Having full-disk
encryption is what allows me not to panic if I leave my laptop in the unlocked
back seat of my car; I don't have to worry about what state the filesystem was
in, because the whole disk is locked.

------
dobbsbob
This is an example of what you can do with eCryptfs and Overlayfs.
[http://www.onarlioglu.com/privexec/](http://www.onarlioglu.com/privexec/)

