this post was submitted on 12 Oct 2024
14 points (100.0% liked)

Linux

5174 readers
376 users here now

A community for everything relating to the linux operating system

Also check out !linux_memes@programming.dev

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 1 year ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
14
Best directory encryption that passed an audit? (feddit.org)
submitted 3 weeks ago by pantherina@feddit.org to c/linux@programming.dev
16 comments fedilink hide all child comments
 

I know of CryFS and encFS which both failed an Audit.

I know LUKS and veracrypt which work but are both tedious and not useful for my use case.

I want to encrypt folders on Linux and then sync them with a cloud or just store them locally.

There is goCryptFS which is in Go, i.e. memorysafe which is good. It also failed the audit when it comes to cloud sync.

The issue: if an attacker has access to the encrypted files over time, if you always upload changes, they can crack you.

This would not be relevant for local file stores, but for synced ones it is.

There I used Cryptomator, which has many downsides though

  • the app is GUI only, the CLI variant is last released 2021, which I dont consider maintained when it comes to security? Or is it?
  • the GUI App is in electron, no Wayland support
  • the app devs dont care about flatpak rules and store secrets outside the app container, meaning the app is unconfined by default, you need to manually add an override and it is still pretty insecure in the case that all untrusted apps are flatpaks

KDE KVaults only supports insecure algorithms, goCryptFS would be the most secure for local only stuff, but that was abandoned as a Fedora package and is only available from COPR, currently. (I should learn RPM packaging once again).

Cryptomator seems to be the only one 1. Suitable for cloud sync (not encrypting everything always again) 2. That passed an audit.

The CLI may be fine if it just interacts with the GUI app? I wonder how that would work with the Flatpak.

Do you know any alternatives?

top 16 comments
sorted by: hot top controversial new old
[–] bjoern_tantau@swg-empire.de 3 points 3 weeks ago (1 children)

Aren't there ways with PGP to encrypt files? I remember dabbling with it a while ago.

[–] pantherina@feddit.org 3 points 3 weeks ago (1 children)

This would only work on single files or archives, but yes probably a good idea. I think cryptomator slices up files into equal pieces and then encrypts both, protecting against analysis of file types, but being sync-friendly.

[–] bad_news@lemmy.billiam.net 1 points 3 weeks ago

Probably not an ideal solution, but you could script CLI bcrypt or openssl-ing the files tar-ed and then just rsync or whatever to a location. Organizing by original file hash values would provide unique identifiers that don't surface the file type without the observer knowing the OG filename and your salt

[–] Lem453@lemmy.ca 3 points 3 weeks ago (2 children)

Borg backup is the way to go for this.

Its designed to have encrypted repos that are send to any destination remote or local.

[–] hexdream@lemmy.world 2 points 3 weeks ago

I second Borg. It's fantastic.

[–] pantherina@feddit.org 1 points 3 weeks ago (1 children)

Does that work with Nextcloud too? So send the encrypted stuff to Nextcloud or copy to another dir at least?

[–] Lem453@lemmy.ca 1 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

You use it to take the NextCloud files (set the NextCloud directory as a source) and Then you sent the files to a backup repository (destination).

You don't send the backup files to a NextCloud install. That's not the correct way to use the tool.

I self host a Borg repository in docker so the backup gets sent locally and then I also use borgbase as offsite backup.

You can have as many sources and destinations as you want

[–] pantherina@feddit.org 1 points 3 weeks ago

I am not sure I understood. I have a Nextcloud client and sync to a server I dont trust. Or that I dont want to encrypt with LUKS.

And I want to open decrypted tiles, use them and save them encrypted to a directory that I sync with Nextcloud.

[–] HighlyRegardedArtist@lemmy.world 2 points 3 weeks ago (1 children)

You can use LUKS for something like this too by mounting a file through a loop device and then using it like any other disk/filesystem. For more details, see: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_a_non-root_file_system#File_container

[–] pantherina@feddit.org 1 points 3 weeks ago

Cool! That sounds like a great option.

[–] sxan@midwest.social 2 points 3 weeks ago (1 children)

No, I don't have an answer to your question. But I have one: is there a reason you aren't using a backup tool with integrated encryption, like restic, for this? It sounds as if you're doing encrypted backups, but the hard way.

[–] pantherina@feddit.org 1 points 3 weeks ago

I use Nextcloud and may use other solutions too.

All the rest is with syncthing between trusted devices

[–] 0x0@programming.dev 1 points 3 weeks ago (1 children)

Maybe tomb can help you.

[–] pantherina@feddit.org 2 points 3 weeks ago

Wooow that looks awesome!

I read about dyne, pretty cool group.

[–] ExperimentalGuy@programming.dev 1 points 3 weeks ago (1 children)

Why not just compress a directory then encrypt that?

[–] pantherina@feddit.org 1 points 3 weeks ago

It needs to be repeatable easily and easy to use for sync. This method would always encrypt everything new.