
EncFS Security Audit - ghubbard
https://defuse.ca/audits/encfs.htm
======
mmmooo
> This report is the result of a paid 10-hour security audit

In just 10 hours? If really so color me impressed. I don't think I've been so
productive in 10 hours, ever.

~~~
perlgeek
FWIW it looks to me like this mostly isn't a code review, more of a conceptual
review of how stuff is done and stored.

I can imagine that's way faster than doing a thorough code review, though the
number of results from 10 hours is still very impressive.

~~~
mmmooo
Some of it must have required at least some level of code review (e.g.
(MACFileIO.cpp, Line 209)). Even so, between the review, and the writeup, etc,
if the total 'billed hours' is really ~10, the rather large hourly rates I've
seen for such audits do appear much more appetising, at least to me.

~~~
tjaerv
For the particular reviewer who did this work, anyhow.

------
mrpdaemon
Leaking the file size (Issue 2.2) is due to the way EncFS is architected to
work at a file granularity. Adding some random bytes or rounding up to the
next block size are small improvements but still leak approximate file size. I
don't think anyone would like their 5KB file to occupy 2GB on disk so EncFS
sacrifices some level of privacy for practicality. On the flip side this
design tradeoff allows EncFS to be used somewhat effectively on top of cloud
storage services like Dropbox/GoogleDrive etc. whereas full disk encryption
schemes don't work as well.

~~~
klodolph
Issue 2.2 has nothing to do with leaking the file size. It has to do with the
encryption algorithm used.

Most modern encryption schemes operate on blocks of a certain fixed size, but
if the file isn't a multiple of the block size, you have to do something
special with the last block. EncFS apparently uses some made-up scheme for
this, instead of using something more standard and well-understood. The common
choices would be padding and ciphertext stealing.

[http://en.wikipedia.org/wiki/Ciphertext_stealing](http://en.wikipedia.org/wiki/Ciphertext_stealing)

------
albinoloverats
Nice to see this kind of report, even if the conclusion is rather damning.

And it seems to suggest that using it with (something like) Dropbox is a bad
idea too:

> EncFS is not safe if the adversary has the opportunity to see two or more
> snapshots of the ciphertext at different times.

~~~
mysteriousllama
Boxcrypter uses EncFS. Combined with the vulnerabilities discussed in this
audit, this is pretty bad.

~~~
icebraining
_Boxcrypter uses EncFS._

Not anymore: [https://forums.boxcryptor.com/topic/opening-linux-encfs-
encr...](https://forums.boxcryptor.com/topic/opening-linux-encfs-encrypted-
folder-with-boxcryptor-what-are-the-settings-for-bcencfs-to-do-so#post-5164)

~~~
nieve
Is the current, non-EncFS compatible version open source for the crypto
components or audited by anyone reputable? If not we don't necessarily have
any reason to believe it's safer.

~~~
tjaerv
Indeed, a priori one would have to assume it less secure than an open-source
implementation that has been reviewed by experts. "We built our own" merely
amounts to security through obscurity.

------
akerl_
Does anybody have suggestions for an alternate tool? Preferably one that also
encrypts at the file level so that it plays nice with Dropbox and similar
services (while obviously providing more security).

~~~
nabla9
I use Truerypt and Dropbox. They play well together.

ps. I have repeatedly encountered people who falsely assume that Truecrypt
does not allow incremental backups with Dropbox. The thinking behind this
seems to be assumption cipher-block chaining (CBC) is used. Truecrypt uses XTS
mode.

~~~
mike-cardwell
Does Truecrypt sync changes when a file inside the container is changed, or
when the container its self is unmounted? I seem to recall having issues with
this a few years ago when I tried it out. Probably something to do with
Truecrypt maintaining a filesystem lock or something?

Needless to say, with encfs on Dropbox, files are synced as soon as they are
changed.

~~~
huhtenberg
TC containers are not accessible while mounted.

~~~
mike-cardwell
Thought so. Truecrypt is no use for me then. I need something that will sync
changes as they happen, or at least shortly afterwards. I don't want to have
to unmount and remount my Truecrypt container once an hour or whatever to sync
changes.

~~~
icebraining
Assuming the size of the files isn't that big, you could always keep an
unencrypted copy that you actually work on, and then periodically a script
would mount the container, rsync the unencrypted directory to it, and unmount
it so it can be synced.

Sure the unencrypted copy would be exposed, but not to any process that
couldn't already access the mounted directory, as far as I can see.

~~~
huhtenberg
No, no. A proper setup is like this -

    
    
      1. Keep TC container in a non-shared location on local disk
      2. Mount it, keep it mounted
      3. Periodically backup this location to your Dropbox folder
    
      Now, the trick is to use backup software that is capable of
      (a) shadow copying
      (b) incremental file updates
    
      Shadow copying works around .tc file being locked.
      Incremental updating keeps things quick.
    

The only Windows software I know that is capable of this is Bvckup 2 -
[http://bvckup2.com](http://bvckup2.com)

(I posted this earlier, but then deleted the post as it read kind of spammy.
But this is _the_ way to handle TC container backup, so here it is again. And
that's one gem of a backup program too, totally worth a plug).

~~~
mike-cardwell
Then you end up with duplicate local copies of your entire container. Seems
very wasteful to me... Especially as TrueCrypt forces you to pre-allocate all
the space that you think you'll need.

------
fluidcruft
Followup eCryptFS audit:

[https://defuse.ca/audits/ecryptfs.htm](https://defuse.ca/audits/ecryptfs.htm)

~~~
fulafel
Contradictory docs, ECB in filename encryption, sounds like nobody has even
looked at this before... though maybe it doesn't have that many safe
applications even from conceptual PoV, since all metadata is leaked.

------
ghubbard
What is the current state of EncFS development? The last official release
seems to have been in November 2010. Are any of the issues raised by this
audit being addressed?

------
SEJeff
Moral of the story... Use LUKS.

~~~
onli
How? EncFS is mainly used, at least by me, to store the encrypted files in
Dropbox/X while working on the decrypted ones in parallel. Does LUKS support
that? The Arch table linked above doesn't make it sound like that.

