Comments (10)
I guess what the OP wanted to ask is whether it's safer to keep the gocryptfs.conf
local or whether this doesn't have any security implications at all, fully realizing that it's a lot more inconvenient to copy the configuration file on every client manually.
from gocryptfs.
The next related question can be:
-
Why don't you (gocryptfs dev team) choose to put these files in other place ?
-
Is there a setup way for gocryptfs to let user happy to get the copy of these files inside a specific directory ? (for example: ~/.config/gocryptfs/$uniq_directory_name/)
I think it will be a great evolution.
from gocryptfs.
Hi, you can put gocryptfs.conf
wherever you like, and then use gocryptfs -config
to use it. But this will not be the default, because gocryptfs should be easy to use and the encrypted folder should be self-contained.
from gocryptfs.
@rfjakob ok, thank you for the information about config file ability (could you develop or is it in the man page ?).
So the question linked to "safety first" become:
Do you think it can be possible to be easy to use and increase safety by not put .diriv and .conf file inside the self-contained encrypted folder ?
My proposition to increase safety without sacrifice usability is:
Put them together inside the non encrypted folder by default should be the easy and safe way to go with. This way, you should aprouve it stay easy and become safe.
Do you agree ?
from gocryptfs.
Yes. Let's do the math:
- Trying one password takes about 0.3 seconds on my PC. Let's say the attacker can check a million passwords per second.
- A random 16-character string of hex digits like "
b5bb9d8014a0f9b1
" has16*4 = 64
bits of entropy. Brute-forcing this at 1 million passwords per second takes 290.000 years. Computed using Octave:
>> 2**64/1e6/3600/24/365/2
ans = 2.9247e+05
- So I'd go for 64 bits of entropy in the password. If you want to use the xkcd method, use six words instead of four, this will get you 66 bits.
from gocryptfs.
Also very good is this tables that uses hardware cost as the metric instead: http://security.stackexchange.com/a/95764
We use scrypt with 0.3 seconds instead of 3.8. Also the table is from 2002, so lets say hardware has gotten 100x times cheaper since then, and we arrive at 1000x. So read from the bottom row and divide by 1000.
from gocryptfs.
Yes, not uploading it is more secure.
from gocryptfs.
Thanks for the answers!
So I will go for keeping the conf-files off-cloud.
from gocryptfs.
As per this comment, it is okay to backup gocryptfs.conf
(as a part of the crypt folder) if and only if the password is strong.
from gocryptfs.
use
gocryptfs -config
to use it.
that's not as seamless as having already some kind of XDG_CONFIG var defined for other purposes and having gocryptfs understand it without any extra flags (in case it doesn't find any config files in the encrypted folder)
from gocryptfs.
Related Issues (20)
- Feature: Add support for LZ4 - Extremely fast compression in real time
- Feature: Add support for post-quantum algorithms HOT 1
- Feature: Add support for deleting all files if the password is not entered within the allotted time
- `ctlsock: bind: address already in use` after interrupted password input
- Small typo in the MANPAGE.md
- Usability issue: add extra text showing that -fsck is working HOT 1
- Poor write speed over GlusterFS remote file system HOT 1
- Safest way to change password for volume HOT 1
- Write slowdown by a factor of 10 (improved by increasing dd blocksize) HOT 2
- Can't create folder or file under a normal user when mounted by root with force_owner HOT 6
- first level gocryptfs.diriv file is always same when init in reverse mode HOT 2
- Invalid encrypted names, can't use them on NTFS volumes HOT 2
- `gocryptfs -speed` panics on go1.21 HOT 2
- TestDirectMount, TestForceOwner fail: fusermount requires user_allow_other in fuse.conf
- Embedding gocryptfs in a Go webserver HOT 3
- https://github.com/rfjakob/gocryptfs.wiki.gitv2.3
- Glenn HOT 1
- An idea
- Unmount before upload to the cloud
- 2.4.0 on MacPorts HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gocryptfs.