Cryptomator vs. gocryptfs
The rough solution I came up with using age
is called file based encryption
which operates on selected directories and files and distinguishes it from disk encryption
which encrypts the whole disk.
Exploring some of the existing solutions, cryptomator
and gocryptfs
stood out to me as the most used and updated, so I decided to learn about them and give them a try. This post will highlight the similarities, differences, my experiences, and what I’d ultimately recommend to both technical and non-technical people.
While my exploration is mostly centered on using these tools on MacOS, they are both compatible with Windows and linux.
Installation
cryptomator
is packaged as a dmg and installs like most regular apps using an installer.
gocryptfs
requires using macports
and macfuse
in order to use it. Unfortunately, macfuse
requires special permissions that need to enabled through recovery mode in order to work and doesn’t support fuse-t
. fuse-t
doesn’t require these special permissions and doesn’t install a privileged kernel extension.
fuse-t
is supported and recommended by cryptomator
but its only optional. Overall, cryptomator
was much easier to install and get started with.
Key Setup
Both prompt the user for a password with no option of generating a secure password for them, however, cryptomator
does show the strength of the chosen password while gocryptfs
doesn’t.
Recovery
cryptomator
has an optional recovery option that will generate a long set of random words that could be used to recover the key for the vault and gives users advice on where to store it.
gocryptofs
prints out the master key in the terminal and asks the users to keep it safe since it’s the only way to recover the files if the password is forgotten or gocryptfs.conf
is corrupted.
Key Derivation
They both use scrypt to derive the master key and store it using a KEK of AES-GCM.
They both use different keys for both file name encryption and content encryption, however, cryptomator
uses a unique key per file / name vs. gocryptofs
which uses the same name
/ content
keys for all files. This does mean that cryptomator
uses more space to store the header files for the derived keys.
There’s also a difference on how they drive the actual keys, gocryptfs
uses a HDKF-SHA256
while cryptomator
just sources bytes from secure random.
Which is the better approach? It depends on what your threat model is and whether you intend to share some of the encrypted files with others. The unique key per file (including changes) allows you to safely share the decryption key for one of the files without compromising the security of the master key or the content of the other files, however, if the associated header file is corrupted or lost, you can no longer decrypt the file. With gocryptfs
the content key is derived from the master key and static parameters and is always recoverable as long as the master key is known but you can’t safely share selected encrypted files (without decrypting them) since all files share the same derived content key.
Encryption Methodology
Content
The both use AES-256-GCM
and divide the file into chunks where each chunk uses a different IV. cryptomator
uses 32Kib
chunks vs. gocryptfs
which uses 4Kib
chunks.
File/directory names
Both include support for encrypting the filename and path to minimize information leakage, however, they don’t obfuscate or flatten the directory structure so some information can still be gleaned.
cryptomator
uses AES-SIV
while gocryptfs
uses EME
. Both pass in the parent directory to account for file movement and have name shortening methods to account for the filename length requirements of different cloud providers.
Implementation Security
Both have been audited and have the security audits publicly available, however, cryptomator
doesn’t make theirs obvious to find, while gocryptofs
advertises it.
Syncing Encrypted Files
They both rely on the user to store the encrypted file within a storage provider’s synced directory that they’ve already setup. cryptomator
’s UI does offer to set the path for some of the well known providers like Google Drive
and Dropbox
.
Conclusion
Overall, their implementation and methodology is similar enough but cryptomator
excels at user friendliness, usability, and platform support.