Comments (9)
rfjakob
commented on September 24, 2024
2
Decrypting using the password (i.e. without -masterkey) works normally?
…On Wed, 17 Apr 2024, 22:23 Durval Menezes, ***@***.***> wrote:
As per the subject, and here's how to reproduce the problem:
mkdir /tmp/gocryptfs_corruption_test
cd !$
export N='===Short_name'; echo $N
mkdir original_data
mkdir original_data/$N
echo Mary Had A Little Lamb > original_data/$N/$N
gocryptfs -init -reverse -deterministic-names original_data
-> Pick whatever password you want; I used "lO22343%fT" (without quotes)
-> Take note of the master key as we will need it in the last step
mkdir encrypted_data
gocryptfs -reverse -deterministic-names original_data encrypted_data
-> Enter the same password as above.
mkdir recovered_encrypted_data
cp -rp encrypted_data/. recovered_encrypted_data/.
mkdir recovered_decrypted_data
gocryptfs -deterministic-names -nosyslog -masterkey=stdin recovered_encrypted_data recovered_decrypted_data
-> And the result, instead of the beginning of the nunnery song, is an error:
doRead 3934243: corrupt block #0: cipher: message authentication failed
doRead 3934243: corrupt block #0: cipher: message authentication failed
cat: 'recovered_decrypted_data/===Short_name/===Short_name': Input/output error
This is on a fully updated Ubuntu 22.04.4 amd64 system using the static
gocryptfs v.2.4.0 binary extracted from
https://github.com/rfjakob/gocryptfs/releases/download/v2.4.0/gocryptfs_v2.4.0_linux-static_amd64.tar.gz
This is my very first use of gocryptfs (trying to validate it for my
specific use case, which is backing up
encrypted data, and then trying to recover the original data using only
the encrypted data plus the masterkey);
So, I may very well be making some kind of stupid mistake, but for the
life of me I can't see it -- and will be
doubly grateful if anyone can point it to me.
—
Reply to this email directly, view it on GitHub
<#841>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACGA7YHKUOT7WVG5VLIGLTY53K53AVCNFSM6AAAAABGL73WOSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI2DSMRRGA2TMMI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
from gocryptfs.
rfjakob
commented on September 24, 2024
1
Ah, now I see what's going on: you need to pass -aessiv when you mount with
-masterkey.
…On Thu, 18 Apr 2024, 15:07 Durval Menezes, ***@***.***> wrote:
Decrypting using the password (i.e. without -masterkey) works normally?
Just tested it.
In short: YES, IT WORKS! (without -masterkey and instead supplying -config
pointing to a backup of the complete .gocryptfs.reverse.conf file):
In detail: here's the complete test procedure, changed for this case:
mkdir /tmp/gocryptfs_corruption_test
cd !$
export N='===Short_name'; echo $N
mkdir original_data
mkdir original_data/$N
echo Mary Had A Little Lamb > original_data/$N/$N
gocryptfs -init -reverse -deterministic-names original_data
-> Pick whatever password you want; I used "lO22343%fT" (without quotes)
-> This time, no need to take note of the master key as we will be using a copy of the gocryptfs.conf file plus the password entered above.
mkdir encrypted_data
gocryptfs -reverse -deterministic-names original_data encrypted_data
-> Enter the same password as above.
mkdir recovered_encrypted_data
cp -rp encrypted_data/. recovered_encrypted_data/.
cp original_data/.gocryptfs.reverse.conf original_data_-_DOT.gocryptfs.reverse.conf
mkdir recovered_decrypted_data
gocryptfs -config original_data_-_DOT.gocryptfs.reverse.conf -deterministic-names -nosyslog recovered_encrypted_data recovered_decrypted_data
-> Enter the same password used above
cat recovered_decrypted_data/\=\=\=Short_name/\=\=\=Short_name
Mary Had A Little Lamb
-> The expected result, instead of an error.
So right there, that's the workaround for my use case: just stash the
complete config file plus its password somewhere safe, instead of just the
masterkey so the former can be used in the recovery instead of the latter.
Thank you for that.
OTOH it's much less convenient to safely save the config file as it's a
couple of hundred bytes long... eg in a password vault app or similar. So,
if/when you can fix this and get -masterkey working, it would be much
appreciated.
—
Reply to this email directly, view it on GitHub
<#841 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACGA75RJSKNOLZGCWJIOPDY57AQTAVCNFSM6AAAAABGL73WOSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRTHAZDMNZTGA>
.
You are receiving this because you commented.Message ID:
***@***.***>
from gocryptfs.
DurvalMenezes
commented on September 24, 2024
Decrypting using the password (i.e. without -masterkey) works normally?
Thanks for the prompt response. Will test momentarily and let you know.
from gocryptfs.
DurvalMenezes
commented on September 24, 2024
Decrypting using the password (i.e. without -masterkey) works normally?
Just tested it.
In short: YES, IT WORKS! (without -masterkey and instead supplying -config pointing to a backup of the complete .gocryptfs.reverse.conf file):
In detail: here's the complete test procedure, changed for this case:
mkdir /tmp/gocryptfs_corruption_test
cd !$
export N='===Short_name'; echo $N
mkdir original_data
mkdir original_data/$N
echo Mary Had A Little Lamb > original_data/$N/$N
gocryptfs -init -reverse -deterministic-names original_data
-> Pick whatever password you want; I used "lO22343%fT" (without quotes)
-> This time, no need to take note of the master key as we will be using a copy of the gocryptfs.conf file plus the password entered above.
mkdir encrypted_data
gocryptfs -reverse -deterministic-names original_data encrypted_data
-> Enter the same password as above.
mkdir recovered_encrypted_data
cp -rp encrypted_data/. recovered_encrypted_data/.
cp original_data/.gocryptfs.reverse.conf original_data_-_DOT.gocryptfs.reverse.conf
mkdir recovered_decrypted_data
gocryptfs -config original_data_-_DOT.gocryptfs.reverse.conf -deterministic-names -nosyslog recovered_encrypted_data recovered_decrypted_data
-> Enter the same password used above
cat recovered_decrypted_data/\=\=\=Short_name/\=\=\=Short_name
Mary Had A Little Lamb
-> The expected result, instead of an error.
So right there, that's the workaround for my use case: just stash the complete config file plus its password somewhere safe, instead of just the masterkey so the former can be used in the recovery instead of the latter. Thank you for that.
OTOH it's much less convenient to safely save the config file as it's a couple of hundred bytes long... eg in a password vault app or similar. So, if/when you can fix this and get -masterkey working, it would be much appreciated.
EDIT: perhaps a shout-out is in order to everyone who may be depending on -masterkey instead of saving the entire config file, lest they find themselves unable to restore their data when the config file goes to heck along their original data... just a suggestion, tho.
from gocryptfs.
DurvalMenezes
commented on September 24, 2024
Ah, now I see what's going on: you need to pass -aessiv when you mount with -masterkey.
And now that you mention it, I can see it's even in the documentation:
man gocryptfs
(...)
-masterkey string
(...)
Even if a config file exists, it will not be used. All non-standard settings have to be
passed on the command line: -aessiv when you mount a filesystem that was created using reverse mode, or
-plaintextnames for a filesystem that was created with that option.
So, my mistake for not properly reading the documentation 🤦♂️...
Sorry for the false alarm, and thanks for the clarification. Closing this issue now.
from gocryptfs.
DurvalMenezes
commented on September 24, 2024
Sorry for the false alarm, and thanks for the clarification. Closing this issue now.
Reopening this issue for just one more observation/suggestion:
I just noticed that I was technically in accordance with the documentation: for the mount command, along with -masterkey I did specify every non-standard option I used during -init, which in my case was only -deterministic-names.
In other words, I did not specify -aessiv on the gocryptfs -init command; what I did specify was -deterministic-names which, on gocryptfs -initimplies -aessiv, but apparently does not imply it during the mount command (where I also specified -deterministic-names).
So, I gotta ask: is there any specific reason for -deterministic-names not implying -aessiv during mount?
If not, may I humbly suggest that you make it so? Will probably save some other unfortunate person a few hours and some pulled hair... :-)
TIA!
from gocryptfs.
rfjakob
commented on September 24, 2024
-reverse implies -aessiv, https://github.com/rfjakob/gocryptfs/blob/master/Documentation/MANPAGE.md#-reverse
from gocryptfs.
rfjakob
commented on September 24, 2024
Emphasized that in 7883d38
from gocryptfs.
rfjakob
commented on September 24, 2024
BTW this dance
cp original_data/.gocryptfs.reverse.conf original_data_-_DOT.gocryptfs.reverse.conf
should be unneccessary as .gocryptfs.reverse.conf is shown as gocryptfs.conf in the encrypted view.
from gocryptfs.
Related Issues (20)
- avoid shelling out to logger binary HOT 4
- [Question] Is using the same config for multiple filesystems a bad idea? HOT 1
- Listing plain text names with encrypted names HOT 5
- question regarding GOCRYPTFS_BAD_NAME behavior in case of file content corruption HOT 1
- hard restart has broken my disc HOT 3
- Install gocryptfs through conda
- Decrypt to folder HOT 1
- Logger keeps from umounting: target is busy. HOT 3
- recreated gocryptfs.conf using masterkey have different EncryptedKey and Salt HOT 1
- [Question] Encrypted backups without reverse mode possible? HOT 4
- How may root check whether a Gocryptfs mount point exists (when in use)? HOT 1
- MacOS: Can't delete diacritically named files (NFC unicode form) HOT 1
- Empty stdin in mkinitcpio hook HOT 12
- Avoid duplicate kernel options
- BUG: Unable to build on ARM HOT 5
- Feature request: exclude files in read-only forward mode
- 2 directories seems to always break gocryptfs HOT 6
- passing options to FUSE HOT 2
- poor write performance over cifs HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gocryptfs.