Other Projects
==============
There are several open-source file encryption solutions for Linux available. In contrast
to disk-encryption software that operate on whole disks (TrueCrypt, dm-crypt etc), file
encryption operates on individual files that can be backed up or synchronised easily.
This page compares:
* [gocryptfs](https://nuetzlich.net/gocryptfs/) (this project), aspiring successor of EncFS
* [EncFS](https://github.com/vgough/encfs), mature with known security issues
* [eCryptFS](http://ecryptfs.org/), integrated into the Linux kernel
* [Cryptomator](https://cryptomator.org/), strong cross-platform support through Java, WebDAV and [FUSE](https://github.com/SerCeMan/jnr-fuse).
* [securefs](https://github.com/netheril96/securefs), a cross-platform project implemented in C++.
Older versions stored directories in user-space B-trees
([filesystem format 1,2,3](https://github.com/netheril96/securefs/blob/2596467d63631aab264cf7a63de38fd69b2fda78/docs/design.md#full-format-format-version-123)).
The new default since v0.7.0
([filesystem format 4](https://github.com/netheril96/securefs/blob/2596467d63631aab264cf7a63de38fd69b2fda78/docs/design.md#lite-format-format-version-4))
uses normal directory entries.
* [CryFS](https://www.cryfs.org/), result of a master thesis at the KIT University that uses
chunked storage to obfuscate file sizes.
If you spot an error or want to see a project added, please
[file a ticket](https://github.com/rfjakob/gocryptfs-website)! See also: [comparison table in the Arch Linux wiki](https://wiki.archlinux.org/title/Data-at-rest_encryption#Comparison_table)
Overview
--------
|
gocryptfs v1.7 |
encfs v1.9.5 |
ecryptfs v4.19.0 |
cryptomator v1.4.6 |
securefs v0.8.3 |
CryFS v0.10.0 |
First release |
2015 (ref) |
2003 (ref) |
2006 (ref) |
2014 (ref) |
2015 (ref) |
2015 (ref) |
Language |
Go |
C++ |
C |
Java |
C++ |
C++ |
License |
MIT (ref) |
LGPLv3 / GPLv3 (ref) |
GPLv2 |
GPLv3 (ref) |
MIT (ref) |
LGPLv3 (ref) |
Development hotspot |
Austria |
USA |
USA (RedHat) |
Germany |
China |
Germany |
Lifecycle |
Active |
Maintenance |
Active (ref) |
Active |
Active |
Active |
File interface |
FUSE |
FUSE |
In-kernel filesystem |
FUSE/WebDAV |
FUSE |
FUSE |
Platforms |
Linux, MacOS, 3rd-party Windows port cppcryptfs,
3rd-party Android port DroidFS |
Linux, MacOS, 3rd-party Windows port |
Linux |
Linux, MacOS, Windows |
Linux, MacOS, Windows |
Linux, MacOS, Windows (experimental) |
User interface |
CLI, 3rd-party GUI (SiriKali) |
CLI, 3rd-party GUI |
Integrated in login process |
GUI, 3rd-party CLI (ref) |
CLI, 3rd-party GUI |
CLI, 3rd-party GUI (SiriKali) |
Reverse Mode |
yes (since v1.1, read-only) |
yes (limited write support) |
no |
no |
no |
no |
General Security
----------------
| | gocryptfs | encfs default | encfs paranoia | ecryptfs | cryptomator | securefs | CryFS |
| ----------------------- | --------- | ------------- | -------------- | ------------------------------------ | ----------- | -------- | ------- |
| Documentation available | Yes [1] | Yes [2] | Yes [2] | No [4] | Yes [3] | Yes [5] | Yes [6] |
| Password hashing | scrypt | PBKDF2 | PBKDF2 | (none, implemented in external tool) | scrypt | PBKDF2 | scrypt |
References:
[[1]](forward_mode_crypto.md)
[[2]](https://github.com/vgough/encfs/blob/439c90e040cc04c036ee0791d830779a6d6bf10e/DESIGN.md)
[[3]](https://cryptomator.org/architecture/)
[[5]](https://github.com/netheril96/securefs/blob/2596467d63631aab264cf7a63de38fd69b2fda78/docs/design.md#lite-format-format-version-4)
[[6]](https://www.cryfs.org/howitworks)
[[4]](http://ecryptfs.org/documentation.html) actually, there is a lot of ecryptfs documentation, but none of
it seems to describe the used crypto.
File Contents
-------------
| | gocryptfs | encfs default | encfs paranoia | ecryptfs | cryptomator | securefs | CryFS |
| --------------------- | --------- | ----------------------- | ----------------------- | --------------------- | ---------------------- | ---------| --------------------- |
| Tested version | v1.7 | v1.9.5 | v1.9.5 | v4.19.0 | v1.4.6 | v0.8.3 | 0.10.0 |
| | | | | | | | |
| Encryption | GCM [1] | CBC; last block CFB [2] | CBC; last block CFB [2] | CBC | CTR with random IV [3] | GCM | GCM |
| Integrity | GCM | none | HMAC | none | HMAC | GCM | GCM |
| File size obfuscation | no | no | no | yes (4 KB increments) | no [4] | no [5] | yes (chunked storage) |
References:
[[1]](https://github.com/rfjakob/gocryptfs/blob/master/Documentation/file-format.md#file-format)
[[2]](https://github.com/vgough/encfs/issues/9)
[[3]](https://github.com/cryptomator/cryptomator/issues/128#issuecomment-168942517)
[[4]](https://github.com/cryptomator/cryptomator/releases/tag/1.2.0)
[[5]](https://github.com/netheril96/securefs/issues/39)
File Names
----------
| | gocryptfs | encfs default | encfs paranoia | ecryptfs | cryptomator | securefs | CryFS |
| ------------------------ | --------------------- | -------------------- | -------------------- | -------- | ------------ | ------------------ | ------------------ |
| Tested version | v1.4.1 | v1.9.2 | v1.9.2 | v4.12.5 | v1.5.15 AppImage FUSE | v0.7.3-30-g2596467 | 0.9.7-15-g3d52f6a8 |
| | | | | | | | |
| Encryption | EME [4] | CBC | CBC | CBC | AES-SIV | AES-SIV | GCM (dir DB) |
| Prefix leak | no (EME) | no (HMAC used as IV) | no (HMAC used as IV) | yes [2] | no (AES-SIV) | no (AES-SIV) | no (GCM) |
| Identical names leak | no (per-directory IV) | no (path chaining) | no (path chaining) | yes [1] | no [3] {3} | yes [6] | no (GCM) |
| Maximum name length [5] | 255 (since v0.9) {2} | 175 | 175 | 143 | 1024 | 143 | 1024 |
| Maximum path length [5] | 4095 | | | | 4095 | | |
| Directory flattening {1} | no | no | no | no | yes | yes | yes |
References:
[[1]](https://gist.github.com/rfjakob/a04364c55b3ee231078d)
[[2]](https://gist.github.com/rfjakob/61a17bf3c7eb9932d791)
[[3]](https://github.com/cryptomator/cryptomator/commit/3b178030c7a6001c1d070ee181aaae71f760d33f)
[[4]](https://github.com/rfjakob/eme)
[[5]](https://github.com/rfjakob/gocryptfs/blob/master/contrib/maxlen.bash)
[[6]](https://gist.github.com/rfjakob/5ff1591db263d85684ac03fc47009b35)
Notes:
{1} Is the directory tree flattened in the encrypted storage? This
obfuscates the directory structure but can cause problems when
synchronising via Dropbox and similar.
{2} 255 since gocryptfs v0.9, 175 in v0.8 and earlier
{3} cryptomator dropped the use of a random padding in v1.2.0 due to performance concerns.
Performance on Linux
--------------------
All tests are run on tmpfs rule out any influence of the hard disk.
The exact command lines for running the tests are defined in
[canonical-benchmarks.bash](https://github.com/rfjakob/gocryptfs/blob/f0e29d9b90b63d5fbe4164161ecb0e1035bb4af4/tests/canonical-benchmarks.bash).
The box that was used to running the tests has been
upgraded with a new CPU {2}, and unfortunately not all tests have been re-run.
Which CPU was used is noted in the table header.
| | gocryptfs {2} | encfs default {2} | encfs paranoia {1} | ecryptfs {2} | cryptomator {2} | securefs {1} | CryFS {1} |
| ------------------------ | ----------------- | ------------- | ------------------ | --------- | ------------- | ------------------ | ------------------- |
| Tested version | v2.3.2-3-g1a866b7 | v1.9.5 | v1.9.2 | v6.2.13 | v1.5.15 AppImage FUSE | v0.7.3-30-g2596467 | v0.9.7-12-gd9634246 |
| | | | | | | | |
| Streaming write | 482 MiB/s | 122 MiB/s | 51 MiB/s | 323 MiB/s | 57 MiB/s | 132 MiB/s | 69 MiB/s |
| Streaming read | 944 MiB/s | 451 MiB/s | 105 MiB/s | 961 MiB/s | 113 MiB/s | 155 MiB/s | 99 MiB/s |
| Extract linux-3.0.tar.gz | 10.9 s | 13 s | 23 s | 3.9 s | 28 s | 14 s | 41 s |
| md5sum linux-3.0 | 5.1 s | 5.7 s | 10 s | 1.2 s | 15 s | 7.7 s | 42 s |
| ls -lR linux-3.0 | 2.0 s | 2.5 s | 2.9 s | 0.5 s | 4.3 s | 1.2 s | 17 s |
| Delete linux-3.0 | 2.4 s | 3.4 s | 4.4 s | 0.7 s | 10 s | 2.2 s | 21 s |
Notes:
{1} Tested on an Intel Pentium G630 with 2 x 2.7GHz that does NOT have AES instructions
{2} Tested in Intel Core i5-3470 CPU with 4 x 3.20GHz and AES-NI
Performance on Windows
----------------------
All tests were run on a Toshiba-RD400 M.2/NVMe SSD rated 2.6 GB/s read and 1.6 GB/s write random-access speed.
The operating system used was Windows 7 Professional SP1 running on an Intel Core i7-6700 CPU with 4 x 3.40GHz hyperthreaded and AES-NI.
Tests were run using MSYS-CoreUtils 5.97-3-msys-1.0.13 installed using the MinGW installer. The exact command lines for running the tests are defined in
[canonical-benchmarks.bash](https://github.com/rfjakob/gocryptfs/blob/f0e29d9b90b63d5fbe4164161ecb0e1035bb4af4/tests/canonical-benchmarks.bash) with minor
adjustments required to make the test run in this environment.
| | (NTFS) | cppcryptfs | EncFSMP default | EncFS4Win default | cryptomator | securefs | CryFS |
| ------------------------ | --------------- | ------------------------ | ----------------- | ----------------- | ----------------- | ------------- | ----------------- |
| Tested version | v6.1.7601.24382 | v1.4.0.25 | v0.99.1 | v1.10.1-rc14 | v1.4.6 | v0.8.3 | v0.10.0.1201 {1} |
| Based on | - | gocryptfs 1.4 compatible | EncFS 1.9.5 | EncFS 1.9.1 | - | - | - |
| Driver | (Built-in) | Dokany 1.2.2.1000 | PFM 1.0.0.192 {2} | Dokany 1.2.2.1000 | Dokany 1.2.2.1000 | WinFSP 2019.1 | Dokany 1.2.2.1000 |
| User Interface | - | GUI | GUI
(fails to properly display state) | Tray
(very basic) | GUI | No {3} | No {3} |
| | | | | | | | |
| Streaming write | 2100 MiB/s {4} | 621 MiB/s | 58 MiB/s | 68 MiB/s | 67 MiB/s | 289 MiB/s | 51 MiB/s |
| Streaming read | 3400 MiB/s {4} | 797 MiB/s | 251 MiB/s | 107 MiB/s | 115 MiB/s | 542 MiB/s | 130 MiB/s |
| Extract linux-3.0.tar.gz | 26 s | 456 s | 793 s | 2121 s | 2497 s | 332 s | 1124 s |
| md5sum linux-3.0 | 51 s | 364 s | 235 s | 1877 s | 1808 s | 235 s | 1254 s |
| ls -lR linux-3.0 | 18 s | 328 s | 166 s | 1269 s | 1722 s | 183 s | 1057 s |
| Delete linux-3.0 | 18 s | 432 s | (427 s) {5} | 1666 s | 2765 s | 260 s | 1007 s |
To the extent this was observed at all during the tests, every one of these
filesystem providers was fully CPU-bound during the small-file tests with
observed disk access speeds never going beyond 15 MiB/s.
Notes:
{1} CryFS considered Windows support “highly experimental” in this version
{2} Closed source component by Pismo Technic Inc
{3} The SiriKali third-part GUI supports CryFS, EncFS4Win and securefs
{4} Yes, these numbers are actually above what the drive is theoretically capable of, so all of these results are likely somewhat skewed
{5} 320 files were not deleted due to *Invalid argument* errors; it is not clear what caused this error, but the logged “Invalid data size, not multiple of block size” messages may indicate corruption
Disk Space Efficiency
---------------------
| | ext4 | gocryptfs | encfs default | encfs paranoia | ecryptfs | cryptomator | securefs | CryFS |
| ------------------------- | --------- | --------- | ------------- | -------------- | --------- | ----------- | ----------------- | ------------------ |
| Tested version | v4.12.5 | v1.4.1 | v1.9.2 | v1.9.2 | v4.12.5 | v1.5.15 AppImage FUSE | 0.7.3-30-g2596467 | 0.9.7-15-g3d52f6a8 |
| | | | | | | | | |
| Empty file {1} | 0 | 0 | 0 | 0 | 8,192 | 88 | 16 | 32,768 |
| 1 byte file {1} | 1 | 51 | 9 | 17 | 12,288 | 137 | 45 | 32,768 |
| 1,000,000 bytes file {1} | 1,000,000 | 1,007,858 | 1,000,008 | 1,007,888 | 1,011,712 | 1,001,576 | 1,006,876 | 1,048,576 {4} |
| linux-3.0 source tree {5} | | | | | | | | |
| ...disk usage {2} | 494 MiB | 512 MiB | 495 MiB | 498 MiB | 784 MiB | 520 MiB | 498 MiB | 1485 MiB |
| ...sum of file sizes {3} | 411 MiB | 416 MiB | 412 MiB | 415 MiB | 784 MiB | 430 MiB | 416 MiB | 1485 MiB |
Notes:
{1} `ls -l` on the encrypted file
{2} `du -sm` on the ciphertext dir, backing filesystem ext4.
{3} `du -sm --apparent-size`.
{4} Counting all 32 chunks ([ref](https://gist.github.com/rfjakob/bdd0ef2bd8f0e94b09ad14f85cd6daec))
{5} Extracted [linux-3.0.tar.gz](https://cdn.kernel.org/pub/linux/kernel/v3.0/linux-3.0.tar.gz)
Filesystem Features
-------------------
Note: To keep the work of maintaining this table under control, I have only
tested selected projects with respect to filesystem features.
Please file a pull request if you can test the other projects!
The backing filesystem is assumed to be ext4.
| | ext4 | gocryptfs | encfs default | encfs paranoia | ecryptfs | CryFS |
| -------------------- | ---- | --------- | ------------- | -------------- | -------- | ----- |
| hard links | yes | yes | yes | no | yes | no |
| extended attributes | yes | yes {1} | yes {2} | yes {2} | ? | ? |
| fallocate | yes | yes | no | no | no | no |
| fallocate KEEP_SIZE | yes | yes | no | no | no | no |
| fallocate PUNCH_HOLE | yes | no | no | no | no | no |
Notes:
{1} Names and values encrypted
{2} Not encrypted