EncFs insecure, what to use now
Solution 1
In 2019, CryFS and gocryptfs are the best candidates in my opinion. Both were designed for the Cloud, are actively developed, and have no known security issues.
Their design differs, which has pros and cons:
CryFs hides meta-data (e.g., file sizes, directory structures), which is a nice property. To achieve it, CryFs stores all files and directory information in fixed size blocks, which comes with a performance cost.
In contrast, gocrytfs is closer to the design of EncFs (for each plain text file, there is one encrypted file). It is primarily concerned about the confidentiality of the file content and does not have such strong protection against leaking meta information. Like EncFs, it also supports reverse mode, which is useful for encrypted backups.
Overall, the design of CryFs has the edge in terms of confidentiality and tamper resistance. On the other hand, gocrypts has practical advantages (performance, support for reverse mode).
Both systems are relatively new. In terms of transparency, both are open source projects. gocryptfs had an independent security audit in 2017. CryFs did not have such an audit, but the design has been developed and proven in a master thesis and a paper has been published.
What about the others?
EncFS is discouraged because of the unresolved security issues. It is unsafe if the attacker gets access to previous versions of files (which will be the case when you store data on the Cloud). Also it leaks meta information like file sizes. There is a thread about the plans for version 2, but there are no signs that it will happen in the near future. The original EncFs developer has recommended gocryptfs.
eCryptfs has seen a lack of support recently. In Ubuntu, the installer no longer support ecryptfs encrypted /home directories. Instead they recommend full disk encryption based on LUKS. In addition, eCryptFs has been designed for local disks, not Cloud storage, so I would not recommend it.
VeraCrypt (successor of TrueCrypt) has a good reputation from a security standpoint, but it is not Cloud friendly, as everything is stored in one big file. That will make syncing slow. However, on a local filesystem, this is no concern, which makes it an excellent candidate there.
There is a nice comparison of all these tools on the CryFs homepage (looking at core features). Similarly, there is also an extensive comparison of those four plus cryptomator and securefs on the gocryptfs documentation (looking at technical specs, performance, compatibility etc.).
Solution 2
As I write this, there seem to be quite a few open source tools similar to encfs
(but more "modern" than encfs
) that could be able to encrypt files in a "cloud friendly" way (i.e. providing per-file encryption, keeping modification times, and so on).
Most of them are fine if you are using only Ubuntu or any other Linux system (ecryptfs
seems good), but things become difficult if you require interoperability with other OSes and mobile devices, as most of us is expecting nowadays.
Just to name a few:
- Cryptomator seems to be the only one that works "everywhere", from any GNU/Linux OS to Android. There's even a PPA for Ubuntu and binaries for several other distros and OSes.
- ecryptfs works only on GNU/Linux systems (like Ubuntu, but also ChromeOS), and it's nice if you won't need to access your files from non-Linux OSes, but people say there may be some problems with cloud sync tools.
- CryFS it's a young solution, works only on Linux for now, but there are plans to port it to MacOS and Windows as well. Maybe it worths some attention in the future.
You may find also interesting this comparison of tools from the CryFS website.
Solution 3
The conclusion in the link sums it up:
- Conclusion
In conclusion, while EncFS is a useful tool, it ignores many standard best-practices in cryptography. This is most likely due to it's old age (originally developed before 2005), however, it is still being used today, and needs to be updated.
The EncFS author says that a 2.0 version is being developed 1. This would be a good time to fix the old problems.
EncFS is probably safe as long as the adversary only gets one copy of the ciphertext and nothing more. EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times. EncFS attempts to protect files from malicious modification, but there are serious problems with this feature.
So the question you need to answer: How likely is it that an attacker can get hold of the ciphertext?
But that audit is from 2014 and was done on v1.7. v1.8 already fixes some of the issues mentioned in the audit:
The first EncFS 1.8 release candidate fixes two of the potential vulnerabilities mentioned in the security audit and brings a few other improvements:
- improve automatic test converage: also test reverse mode (make test)
- add per-file IVs based on the inode number to reverse mode to improve security
- add automatic benchmark (make benchmark)
- compare MAC in constant time
- add --nocache option
v1.8 came out in 2014 too.
From the project page:
Status
Over the last 10 years, a number of good alternatives have grown up. Computing power has increased to the point where it is reasonable to encrypt the entire filesystem of personal computers (and even mobile phones!). On Linux, ecryptfs provides a nice dynamically mountable encrypted home directory, and is well integrated in distributions I use, such as Ubuntu.
EncFS has been dormant for a while. I've started cleaning up in order to try and provide a better base for a version 2, but whether EncFS flowers again depends upon community interest. In order to make it easier for anyone to contribute, it is moving a new home on Github. So if you're interested in EncFS, please dive in!
That is from 2013... I would consider the project dead if that was the latest news.
But it does list ecryptfs as an alternative for Ubuntu so have a look at that.
Solution 4
gocryptfs is a new alternative. Performance comparisons are available. The encfs developer speaks positively about it.
Solution 5
Encfs is invaluable because of its reverse feature. This instantly makes off-site, semi-secure incremental backups possible, with no additional disk space cost.
Truecrypt doens't have this, nor Veracrypt, nor ecryptfs.
While encfs 2.0 is being worked on, check out CryFS, which isn't 1.0 yet. Another possibility is fuseflt which lets you create filtered views of directories (e.g. an encrypted view using flt_cmd = gpg --encrypt).
Related videos on Youtube
Sebastian
Updated on September 18, 2022Comments
-
Sebastian over 1 year
I love encfs as it provides file-based encrypting which is quite useful when it comes to cloud storage. But it looks like that especially for this use case, encfs is considered to be insecure. I'm aware that encfs 2 is in development but how to deal with it in the meantime? Are there any alternatives that integrate well in ubuntu?
Edit: The security issue I mostly refer to is this one. It is still present in version 1.8 and makes your files vulnerable if someone get's multiple versions of your encrypted files. If one is worried about services like Dropbox are not that thrustworthy and encrypts folders uploaded into the cloud because of that, the opportunity that the attacker (the service) gets more than one copy of the cyphertext is absolutely given.
-
Rinzwind over 7 yearsDon't you think your question is a bit late? That audit you link to is from 2014 and the software had 2 updates after that where the 1st solved some of the issues mentioned in the audit. Nevertheless: see the last sentence in my answer : encryptfs is the current default.
-
Sebastian over 7 yearsAs the problem with mutliple versions of a file makes it vulnerable is still given: No.
-
anthony over 5 yearsWith regards to the included warning text image above, where the storage system owners modify the configuration to simplify the security without the data owners knowledged... This is one reason why I do not believe in actually storing the encfs config file with the actual data directory, but storing it separately to the actual encrypted data. See "Remove the encfs config files from data directory" in my notes... ict.griffith.edu.au/anthony/info/crypto/encfs.txt
-
-
Sebastian over 7 yearsThank you for the detailed answer. But afaik ecryptfs is not usable for securing data in the cloud.
-
Rubi Shnol about 6 yearsCryptomator is unusable since extreeeeeemly slow. ecryptfs is not appropriate for clouds. CryFS has been beta for almost 3 yrs. So, these aren't really alternatives
-
finefoot almost 5 years"So the question you need to answer: How likely is it that an attacker can get hold of the ciphertext?" I mean, the main issue is that as soon as an attacker has access to my Cloud service account like Dropbox they automatically have access to multiple saved snapshots. And that's where EncFS becomes insecure.
-
finefoot almost 5 yearsI don't know how valuable a feature of an encryption software really can be, if the software is not secure...?
-
leggewie about 4 yearsMy personal favorite for securely storing information in the cloud is CryFS. The comparison convinved me. Both CryFS and gocryptfs are available as official Debian and Ubuntu packages.
-
Boris Brodski over 3 yearsNo software is 100% secure. It's always a trade-off.
-
Greg Bell over 3 yearsBetween what and what @BorisBrodski?
-
Boris Brodski over 3 years@GregBell between security and effort/usability. You can be more or less paranoid: The effort to hack your encrypted data is depending on the effort you put to secure it. On the other hand, "too secure" means less usable (more effort to access your data). Are you going to build an additional demilitarized zone at home in order to protect your laptops/PCs from attacks from the internet? Or are you ready to never attach your laptop to the internet? All that will gain you higher and higher levels of security, that a normal person don't actually need. So it's always a trade-off :)
-
Greg Bell over 3 years@BorisBrodski That's just one of the impacts on security. Bugs and poor design would be other causes. If an implementation doubles the size of the keys, security is improved, but usability isn't impacted.
-
Yushin Washio about 3 years@RubiShnol To back your statement on bad performance of cryptomator, one can look at the benchmark (Linux) done by gocryptfs which indeed shows an extreme gap to the competitors (read 29 MiB/s, write 15 MiB/s while both ecryptfs and encfs achieve above 100 MiB/s in read and write) nuetzlich.net/gocryptfs/comparison
-
Tim Diels almost 3 yearsCryFS (0.10.*) can become corrupted if it gets interrupted while it's writing. E.g. the process gets killed, runs out of disk space or due to power loss. The CryFS comparison mentions "The current version is not considered stable yet by the developers and if you decide to use it, regular backups are strongly recommended".
-
Tim Diels almost 3 yearsTo be clear, they imply this will get fixed in v1.
-
Tim Diels almost 3 yearsgocryptfs man page mentions that when using
--noprealloc
(required on btrfs), when running out of space during a write, the last 4 KB written will be corrupt. I guess this would also happen if power is lost or the process gets killed.