FUSE-based encrypting filesystem.
Meant as a simpler alternative to encfs --reverse
.
Requires:
- Python 3.4+
- fusepy, e.g.
pip install fusepy
One of:
- pyca/cryptography, e.g.
pip install cryptography
- PyCrypto, e.g.
pip install pycrypto
rencfs.py [-d] ROOT MOUNTPOINT KEY
Mount an encrypted view of the data in ROOT at MOUNTPOINT using KEY.
KEY should be a symmetric key, not a password. It is hashed for normalization only, not using a password hash.
With the -d option you can do the reverse.
Uses AES-128 in CTR mode with HMAC-SHA256 as a 128-bit MAC and KDF.
This is extremely simple.
- Deterministic encryption: attackers can tell if files are equal. (WAD: allows deduplication)
- File contents only: filenames, sizes, directory structure not encrypted.
- Not vetted against active attackers: the only "supported" mode is using this to encrypt data and copy that data elsewhere onto a real FS.
- Anything can happen if the original DIR is written to while the encrypted view is being read.
The second point may change in the future. For now my use case does not require encryption of paths.