/rencfs

RencFS - reverse encrypting file system

Primary LanguagePythonISC LicenseISC

RencFS

Build Status Coverage Status

FUSE-based encrypting filesystem. Meant as a simpler alternative to encfs --reverse.

Installation:

Requires:

  • Python 3.4+
  • fusepy, e.g. pip install fusepy

One of:

  • pyca/cryptography, e.g. pip install cryptography
  • PyCrypto, e.g. pip install pycrypto

Usage:

rencfs.py [-d] ROOT MOUNTPOINT KEY

Mount an encrypted view of the data in ROOT at MOUNTPOINT using KEY.

KEY should be a symmetric key, not a password. It is hashed for normalization only, not using a password hash.

With the -d option you can do the reverse.

Algorithms

Uses AES-128 in CTR mode with HMAC-SHA256 as a 128-bit MAC and KDF.

Caveats

This is extremely simple.

  • Deterministic encryption: attackers can tell if files are equal. (WAD: allows deduplication)
  • File contents only: filenames, sizes, directory structure not encrypted.
  • Not vetted against active attackers: the only "supported" mode is using this to encrypt data and copy that data elsewhere onto a real FS.
  • Anything can happen if the original DIR is written to while the encrypted view is being read.

The second point may change in the future. For now my use case does not require encryption of paths.