Detailed analysis of four schemes for superimposing encrypted file systems on cloud storage

The goal is simple. Many files on the cloud storage are quite private, and it is very scary to put them directly. Although cloud storage uses a variety of methods to ensure your security, there is no absolute security in the world. In case the password leaks, or worse, the cloud storage leaks. At this point your files are streaking on the web.

What is the easiest solution? A layer of encryption is placed on the underlying storage. However, because of cloud storage, block device-based encryption schemes cannot be used, such as LUKS. Otherwise, you sync to the cloud is a super huge block file, and each time you modify, the cloud storage client must find a differential upload. This is too painful. The positive solution is that each file is encrypted and uploaded separately. But even so, the encryption of large files will still affect the upload efficiency, please consider this issue in advance.

Detailed analysis of four schemes for superimposing encrypted file systems on cloud storage

At the same time, it should be noted that there is a difference between the encrypted file system for cloud storage and the ordinary encrypted file system. Many daemons of encrypted file systems consider themselves to be the only process that accesses encrypted content, while cloud storage may receive modifications from remote sources at any time. So this will cause some problems.

Options

I compared four scenarios, EncFS, CryFS, GoCryptFS, eCryptFS. The comparison method is to use each of these four to create an encrypted directory, and then use different methods to do the write test to see his various parameters. By the way, if you want to see it, actually look at this form. I just reappeared on my own machine, and I took a look at each feature.

Test statement:

Time dd if=/dev/zero of=test bs=1048576 count=1024

Time dd if=/dev/zero of=test bs=1024 count=1048576

Time tar xf linux-4.13.12.tar.xz

Among them, the direct decompression of the kernel source on the bare disk takes 7.568s, and the space uses 870M.

Data comparison

+---------+-------+-----+-------+-----+-------+--- --+--------------+

| |time1 |size1|time2 |size2|time3 |size3|comment |

+---------+-------+-----+-------+-----+-------+--- --+--------------+

|EncFS |13.210s|1.1G |39.039s|1.1G |26.496s|894M | |

+---------+-------+-----+-------+-----+-------+--- --+--------------+

|CryFS |9.327s |1.1G |21.230s|1.1G |42.918s|2.5G |Remove time 2.804s|

+---------+-------+-----+-------+-----+-------+--- --+--------------+

|GoCryptFS|3.515s |1.1G |28.180s|1.1G |19.874s|918M | |

+---------+-------+-----+-------+-----+-------+--- --+--------------+

|eCryptFS |3.132s |1.1G |10.218s|1.1G |9.448s |1.4G | |

+---------+-------+-----+-------+-----+-------+--- --+--------------+

Interpretation

First of all, how to interpret. Time1 is continuous write performance, time2 is discrete write performance, time3 is small file write performance, and size3 is a large number of small file expansion systems. Size1 and size2 are not useful.

Let's look at the performance first. From the performance point of view, the best is eCryptFS. This is a matter of course, because this is the only system that is kernel-mode and integrated with the kernel. GoCryptFS is second. EncFS is going to be much slower. As for CryFS, the prototype was revealed at the beginning of writing small files. What's more, this is the only time to delete a large file for more than 1s, reaching 2.8s. You see that I have not written in other system tests.

Then there is the expansion rate. EncFS swells by 2.75%, CryFS swells by nearly three times, GoCryptFS swells by 5.52%, and eCryptFS swells by 65%. In contrast, EncFS has the lowest inflation rate, followed by GoCryptFS, and CryFS is the worst.

safety

The following are three audit reports from the same person:

Encfs audit report

Audit report of gocryptfs

Ecryptfs audit report

According to the report, you can get these comments:

EncFS has security implications and is currently unresolved. The main hidden danger comes from the file block encryption mode. It is not safe if an attacker has access to multiple copies of ciphertext.

GoCryptFS has certain security issues and is currently unresolved. The details are described below.

eCryptFS requires further auditing and is currently considered safe.

Comprehensive

Probably unexpected, I first ruled out encfs and ecryptfs. Encfs is because of security risks. Ecryptfs is inconvenient to use and not compatible with cloud storage mode. Ecryptfs needs to input all parameters independently each time it is mounted, which is inconvenient to use. To make matters worse, ecryptfs does not support simultaneous access to encrypted data itself. This will cause competition problems. For a kernel-level thing, this is extremely dangerous. At the same time, the expansion rate of this cargo is a bit high.

Then in CryFS and GoCryptFS, I chose GoCryptFS. Although CryFS is the only one that explicitly states that it is compatible with cloud storage, its inflation rate is too high. Although it is cloud storage, it is worth considering the price/performance ratio.

So what is the security issue with GoCryptFS? When the main hidden danger comes from mixing with cloud storage, the attacker knows nothing about the contents of the file, but can modify the contents of the file. For example, copy other encrypted files or graft some of them. A series of POCs are provided in the audit report to illustrate this risk. This risk is very dangerous for users in specific situations, such as people who store multiple trusted identity/account identity files in an encrypted area.

Fortunately, I have no requirements for this. The expansion rate of GoCryptFS is not large, only higher than EncFS, which is completely acceptable. Performance is also good, second only to eCryptFS. It's very convenient to use, and it also provides a good security feature. So in all of the above, I chose GoCryptFS as the encrypted file system superimposed on the cloud storage.

Heat Shrink Tubing

Heat shrinkable tubes help you achieve the electrical insulation, mechanical protection, environmental seal and stress relief you need in applications such as rear end seal, split point and connector to cable transfer.

It can be safely used in place of baling, molding or gluing.

When heated, the heat shrinkable tube will fit into the base size and shape of the substrate to speed up and simplify the installation process.

With high expansion, the most damaged cable enclosures can be repaired without removing the connector. Heat shrinkable tubes come in a wide variety of materials, colours and sizes and can be produced in a variety of shapes such as rolls, 1m lengths and cut pieces.


Heat Shrink Tubing,Heat Shrink,Heat Shrink Cable,Shrink Wrap Tubing

CAS Applied Chemistry Materials Co.,Ltd. , https://www.casac1997.com

Posted on