OweFS – One-way encrypted file system (opens in new tab)

The author should use a library that provides a simple "encryptWithPublicKey" method, so that any choices about RSA key size, AES mode of operation, etc are all taken care of. NaCl[1] would probably be best, since it's written and audited by prominent cryptographers.

[1] http://nacl.cr.yp.to/

There are a tremendous number of other ways this could be implemented.

Authenticated encryption? GCM? XTS? Salt the CFB? Guard against interblock attacks?

The crypto needs to be completely reworked. This is an asymmetric kek around symmetric encryption, which is done in many other projects.

Half-backed crypto such as this is worse than no crypto at all, as it lulls people into believing they are using a valid cryptographic system. But, the project implements (poorly) a subset of what is needed and pushes the rest into application code - but app writers don't know this and wouldn't know what to implement even if they know of the shortcomings.

Cryptographers see this all the time. People think they invented a new concept but only implemented a well-known design but did it incompletely and with well-known flaws in the crypto. Then, people defend the system, when it would be far easier to use better primitives.

You could make this a frontend to an existing system like GPG

Uhh. I'd think, Crypto.Random is supposed to be secure: """Return the specified number of cryptographically-strong random bytes."""

Pretty sad if it is not the case! Interestingly enough, RNG in pycryptodome which I was using for zerodb is urandom. https://github.com/Legrandin/pycryptodome/blob/master/lib/Cr...

Would be interesting to see similar gotchas about that library (though everybody uses PyCrypto, that makes me feel a little paranoid!)

It says something if you're using a package called PyCrypto for RNG and that happens to be an insecure approach. You would think with that name it was the right way to do it.

To be fair, most full-disk encryption schemes do not authenticate.

This can't be used for assymetric encryption. The reason you can still see files and filenames on normally encrypted drives is because your OS holds the encryption key AND decryption key in memory (they're actually the same because it's using symmetric encryption). The problem with the assymetric case is that you no longer have the decryption key, so if you encrypt a filename, you don't get to refer to the file anymore, of course unless (as another user commented) you encrypt the filename you're using to reference the file every time you reference the file, which isn't a terrible idea.

You could do that, but it'd be quite inefficient.

Firstly, let's assume that directories aren't encrypted. Otherwise this would be a real PITA - just to locate /foo/bar/baz.txt you'd have to decrypt each component of 001001/011101/110101.encrypted separately.

More importantly, the decrypting software has no way to encrypt things, only decrypt them. So to read 'secret.txt' you can't just encrypt 'secret.txt' to '111000.encrypted'. Instead, you have to iterate through the entire directory listing and decrypt every single filename, until you find one that decrypts to 'secret.txt'.

Obviously this gets pretty bad with even moderately-sized directories. I assume this is why the project doesn't encrypt filenames.

I see. Thanks!