Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Question Potential security problem with Ecryptfs(?)

    Hi everyone!
    I've been playing around with ecryptfs and have been thinking about system security. One thing that worried me with ecryptfs was that the directory/file-structure is visible to anyone even when in encrypted state. Something that came to mind was that someone could simply scan the structure and get a list of all the files and the exact file sizes, this would make it possible to maybe link up some files with files that are available unencrypted elsewhere. So if for example someone would want to investigate if a download of certain files has been done they could simply compare the file-structure and file sizes. I did some tests on my own and concluded that the encypted files (with encrypted filenames) were not the exact same file size as the original unencrypted files and that this would satisfy this security worry.

    However, I just saw this program: h.ttp:// (added a dot because I can't post links yet, <15 posts)
    which does just that, it can scan for ecryptfs file structures and extract the _original_ file sizes and thereby circumvents this security layer completely. I'm now thinking that ecryptfs may not be that secure for other things than "unique" information, files that can't be compared to unencrypted files available somewhere else. Perhaps a block device encryption system such as dm-crypt or truecrypt is more secure in this regard.

    What are your thoughts on this issue?

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Virginia, USA
    If you absolutely must have everything encrypted, use full disk encryption, such as LUKS.
    Restrict access to those directories where your sensitive data remains. Even if your files are encrypted, standard security practices should be in place.

  3. #3
    Well, I don't need everything encrypted really. I just don't think it's safe if someone can reverse engineer what files are there.
    I have tried to look this issue up a bit more and it seems that ecryptfs saves files in multiples of 4096 bytes so that means file sizes won't be identical to the unencrypted ones. It is possible to calculate approximate file sizes but not exact, to my understanding. So the forensics tool that I mentioned in my previous post should only be able to find approximate values. I downloaded the tool and with the (very limited) testing I did it did not show file sizes that were close enough for file identification. That's good enough for me...

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts