Cryptomator vs. gocryptfs

The rough solution I came up with using age is called file based encryption which operates on selected directories and files and distinguishes it from disk encryption which encrypts the whole disk.

Exploring some of the existing solutions, cryptomator and gocryptfs stood out to me as the most used and updated, so I decided to learn about them and give them a try. This post will highlight the similarities, differences, my experiences, and what I’d ultimately recommend to both technical and non-technical people.

While my exploration is mostly centered on using these tools on MacOS, they are both compatible with Windows and linux.

Installation

cryptomator is packaged as a dmg and installs like most regular apps using an installer.

gocryptfs requires using macports and macfuse in order to use it. Unfortunately, macfuse requires special permissions that need to enabled through recovery mode in order to work and doesn’t support fuse-t. fuse-t doesn’t require these special permissions and doesn’t install a privileged kernel extension.

fuse-t is supported and recommended by cryptomator but its only optional. Overall, cryptomator was much easier to install and get started with.

Key Setup

Both prompt the user for a password with no option of generating a secure password for them, however, cryptomator does show the strength of the chosen password while gocryptfs doesn’t.

Recovery

cryptomator has an optional recovery option that will generate a long set of random words that could be used to recover the key for the vault and gives users advice on where to store it.

gocryptofs prints out the master key in the terminal and asks the users to keep it safe since it’s the only way to recover the files if the password is forgotten or gocryptfs.conf is corrupted.

Key Derivation

They both use scrypt to derive the master key and store it using a KEK of AES-GCM.

They both use different keys for both file name encryption and content encryption, however, cryptomator uses a unique key per file / name vs. gocryptofs which uses the same name / content keys for all files. This does mean that cryptomator uses more space to store the header files for the derived keys. There’s also a difference on how they drive the actual keys, gocryptfs uses a HDKF-SHA256 while cryptomator just sources bytes from secure random.

Which is the better approach? It depends on what your threat model is and whether you intend to share some of the encrypted files with others. The unique key per file (including changes) allows you to safely share the decryption key for one of the files without compromising the security of the master key or the content of the other files, however, if the associated header file is corrupted or lost, you can no longer decrypt the file. With gocryptfs the content key is derived from the master key and static parameters and is always recoverable as long as the master key is known but you can’t safely share selected encrypted files (without decrypting them) since all files share the same derived content key.

Encryption Methodology

Content

The both use AES-256-GCM and divide the file into chunks where each chunk uses a different IV. cryptomator uses 32Kib chunks vs. gocryptfs which uses 4Kib chunks.

File/directory names

Both include support for encrypting the filename and path to minimize information leakage, however, they don’t obfuscate or flatten the directory structure so some information can still be gleaned.

cryptomator uses AES-SIV while gocryptfs uses EME. Both pass in the parent directory to account for file movement and have name shortening methods to account for the filename length requirements of different cloud providers.

Implementation Security

Both have been audited and have the security audits publicly available, however, cryptomator doesn’t make theirs obvious to find, while gocryptofs advertises it.

Syncing Encrypted Files

They both rely on the user to store the encrypted file within a storage provider’s synced directory that they’ve already setup. cryptomator’s UI does offer to set the path for some of the well known providers like Google Drive and Dropbox.

Conclusion

Overall, their implementation and methodology is similar enough but cryptomator excels at user friendliness, usability, and platform support.

References