1. Introduction §
When using a not end-to-end encrypted cloud storage, you may want to store your file encrypted so if the cloud provider (that could be you if you self host a nextcloud or seafile) get hacked, your data will be available to the hacker, this is not great.
While there are some encryption software like age or gpg, they are not usable for working transparently with files. A specific class of encryption software exists, they create a logical volume with your files and they are transparently encrypted in the file system.
You will learn about cryptomator, gocryptfs, cryfs and rclone. They allow you to have a local directory that is synced with the cloud provider, containing only encrypted files, and a mount point where you access your files. Your files are sent encrypted to the cloud provider, but you can use it as usual (with some overhead).
This blog post is a bit "yet another comparison" because all these software also provide a comparison list of challengers.
A comparison done by gocryptfs
A comparison done by cryptomator
A comparison done by cryfs
2. Benchmark §
My comparison will compare the following attributes and features of each software:
- number of files in the encrypted dir always using the same input (837 MB from 4797 files mades of pictures and a git repository)
- filename and file tree hierarchy obfuscation within the encrypted dir
- size of the encrypted dir compared to the 837 MB of the raw material
- cryptography used
3. Software list §
Here is the challenger list I decided to evaluate:
3.1. Cryptomator §
The main software (running on Linux) is open source, they have a client for all major operating system around, including Android and iOS. The android apps is not free (as in beer), the iOS app is free for read-only, the windows / linux / Mac OS program is free. They have an offer for a company-wide system which can be convenient for some users.
Cryptomator features a graphical interface, making it easy to use.
Encryption suites are good, it uses AES-256-GCM and scrypt, featuring authentication of the encrypted data (which is important as it allows to detect if a file was altered). A salt is used.
Hierarchy obfuscation can be sufficient depending on your threat model. The whole structure information is flattened, you can guess the number of directories and their number of files files, and the file sizes, all the names are obfuscated. This is not a huge security flaw, but this is something to consider.
Cryptomator implementation details
3.2. gocryptfs §
This software is written in Go and works on Linux, a C++ Windows version exists, and there is a beta version of Mac OS.
gocryptfs official website
Hierarchy obfuscation is not great, the whole structure information is saved although the names are obfuscated.
Cryptography wise, scrypt is used for the key derivation and AES-256-GCM for encryption with authentication.
gocryptfs implementation details
3.3. CryFS §
I first learned about cryfs when using KDE Plasma, there was a graphical widget named "vault" that can drive cryfs to create encrypted directories. This GUI also allow to use gocryptfs but defaults to cryfs.
CryFS official website
CryFS is written in C++ but an official rewrite in Rust is ongoing. It works fine on Linux but there are binaries for Mac OS and Windows as well.
Encryption suites are good, it uses AES-256-GCM and scrypt, but you can use xchacha20-poly1305 if you do not want AES-GCM.
It encrypts files metadata and split all files into small blocks of fixed size, it is the only software in the list that will obfuscate all kind of data (filename, directory name, tree hierarchy, sizes, timestamp) and also protect against an old file replay.
CryFS implementation details
3.4. rclone §
It can be surprising to see rclone here, it is a file transfer software supporting many cloud provider, but it also features a few "fake" provider that can be combined with any other provider. Thoses fakes remotes can be used to encrypt files, but also aggregate multiple remotes or split files in chunks. We will focus on the "crypt" remote.
Rclone official website
rclone is a Go software, it is available everywhere on desktop systems but not on mobile devices.
Encryption is done through libNaCl and uses XSalsa20 and Poly1305 which both support authentication, and also use scrypt for key derivation. A salt can be used but it is optional, make sure to enable it.
Hierarchy obfuscation is not great, the whole structure information is saved although the names are obfuscated.
rclone crypt remote implementation details
3.5. Other §
ecryptfs is almost abandonware, so I did not cover it.
ecryptfs is unmaintained and untested
encfs is limited and recommend users to switch to gocryptfs
encFS GitHub page: anchor "about"
LUKS and Veracrypt are not "cloud friendly" because although you can have a local big file encrypted with it and mount the volume locally, it will be synced as a huge blob on the remote service.
4. Results §
From sources directories with 4312 files, 480 directories for a total of 847 MB.
- cryptomator ended up with 5280 files, 1345 directories for a total of 855 MB
- gocryptfs ended up with 4794 files, 481 directories for a total of 855 MB
- cryfs ended up with 57928 files, 4097 directories for a total of 922 MB
- rclone ended up with 4311 files, 481 directories for a total of 847 MB
Although cryptomater has a bit more files and directories in its encrypted output compared to the original files, the obfuscation is really just all directories being in a single directory with filenames obfuscated. Some extra directories and files are created for cryptomator internal works, which explains the small overhead.
I used default settings for cryfs with a blocksize of 16 kB which is quite low and will be a huge overhead for a synchronization software like Nextcloud desktop. Increasing the blocksize is a setting worth considering depending on your file sizes distribution. All files are spread in a binary tree, allowing it to scale to a huge number of files without filesystem performance issue.
5. Conclusion §
In my opinion, the best choice from a security point of view would be cryfs. It features full data obfuscation, good encryption, mechanisms that prevent replaying old files or swapping files. The documentation is clear and we can see the design choices are explained with ease and clearly.
But to be honest, I would recommend cryptomator to someone who want a nice graphical interface, easy to use software and whose threat model allows some metadata reveal. It is also available everywhere (although not always for free), which is something to consider.
Authentication is used by all these software, so you will know if a file was tampered with, although it does not protect against swapping files or replaying an old file, this is certainly not in everyone's threat model. Most people will just want to prevent a data leak to read their data, but the case of a cloud storage provider modifying your encrypted files is less likely.
6. Going further §
There is a GUI frontend for gocryptfs and cryfs called SiriKali.
SiriKali official project page
SiriKali GitHub project
Some self hostable cloud storage provider exists with end-to-end encryption (file are encrypted/decrypted locally and only stored as blob remotely):
The two major products I would recommend are Peergos and Seafile. I am a peergos user, it works well and features a Web UI where as seafile encryption is not great as using the web ui requires sharing the password, metadata protection is bad too.
- https://peergos.org/ Peergos
- https://www.seafile.com/en/home/ Seafile