27

I've encrypted my Dropbox folder with EncFS according to a few tutorials I found on the web, advocating this approach.

But I've found the following critical statement concerning EncFS's security in this security-audit:

EncFS is probably safe as long as the adversary only gets one copy of the ciphertext and nothing more. EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times. EncFS attempts to protect files from malicious modification, but there are serious problems with this feature.

So, as long as they only get one copy of the encrypted files it's fine, but if they get more, it might be dangerous.

Well, when using Dropbox, they would get a hell lot of different snapshots of the encrypted files (since they will be synchronized after every change).

Thus EncFS would be not a secure solution in combination with a cloud-service à la Dropbox, right?

finefoot
  • 213
  • 2
  • 9
steffres
  • 373
  • 1
  • 3
  • 7
  • I would like to add that Dropbox is known for causing corruption on encfs files if you use the default settings (paranoid mode) and move (change the path) files. please check the readme of encfs for dropbox specific instructions. – cesarpachon Mar 05 '21 at 19:08

3 Answers3

19

This is basically a full re-write of the answer as of Feb 2020, with significantly more detail.

EncFS is reliably safe under the kinds of circumstances and threat models that most casual users would expect to encounter, particularly with document-synchronization services like Dropbox. More specifically, it works great when your expectation is something along the lines of: "an attacker cannot read my files."

But it doesn't do so hot when you start chaining more complex assumptions on top of it. This typically happens when the directory you're protecting is used in ways thought up by someone else, like the profile directory of a browser, the data storage of some automation pipeline, or the home directories for all the users in a company. If your expectation is more vague and all-encompassing, like: "attackers will all be thwarted because the directory is encrypted," then this isn't the tool for you.

To make a well-reasoned choice, it helps to understand what trade-offs you're making. So here's what an attacker can do, and under what conditions they can do it.

Metadata

EncFS stores exactly one encrypted file per unencrypted file, and with the same sort of directory structure, the same modification times, and similar file sizes (and filename sizes). So the attacker will know basically all of the metadata about your files. This is an intentional security trade-off, so if this sounds dangerous then EncFS is not for you. You can infer a lot from just dates, sizes, and directory structure, particularly if you're watching over time (see below). This could be all the information the attacker needs in order to deduce certain kinds of behavior. If that matters to you, then it's an example of relying on EncFS to protect more than just the contents of the files, and means you need a different tool.

Of particular note, EncFS supports sparse files, which means that long (very long) runs of zeros aren't encrypted. Any of these empty chunks are readily identifiable in the encrypted store. This is another intentional security trade-off; it can save you a lot of storage space, but at the expense of revealing a bit more about these special kinds of files than you may be comfortable with.

Metadata History

If the attacker can see the changes over time, then they get even more information. They can see which files change and how often, whether the changes influence the file size, and so on. In some cases they can even tell roughly which part of the file was changed.

Dropbox stores some amount of file history (30 days or more, depending on your subscription and settings), which makes this possible even without a persistent presence, though obviously with a limited window.

History-Based Attacks (Passive)

Additionally, if the attacker can see an absolutely vast amount of changes to a single file (perhaps millions), they may be able to leverage that information to gain even more insight at the math level, not just metadata.

Realistically probably not, though. No known attacks actually exist, and Dropbox-synced files generally don't change enough times for the proposed attack patterns to be relevant. And even if they did, Dropbox doesn't just let you download a set of millions of old revisions to a single file.

Write-Based Attacks

If the attacker can write files that you will attempt decrypt, then now you've got some real problems. At the very least, the attacker can selectively delete or destroy files. They may even be able to guess which files to break by using the metadata as a guide. Additionally, they may be able to break only certain parts of a file.

And remember the bit about the sparse files; an attacker can zero out huge chunks of a file by zeroing out the corresponding ciphertext.

Additionally an attacker with write access to your Dropbox could revert the file to a previous version... though that's also an explicit feature of Dropbox. Which sorta brings up the point that if you consider platform features themselves as a serious vulnerability, then you gotta ask yourself whether Dropbox is really what you're looking for to begin with.

And that's the whole point here. There's a lot of benefit to layering client-side crypto on top of a cloud sync service, sort of like a second layer of defense. But if the guarantees you're trying to produce run explicitly counter to the features of the underlying platform, then you're probably trying to hammer a square peg into a round hole. You might be able to produce a functional solution with carefully chosen tools, but your overall experience is going to be worse because the underlying service is optimized for doing precisely what you don't want.

Interactive Attacks

If the attacker can modify the ciphertext and then see what the plaintext was (or whether it successfully gets decrypted at all), then they presumably could make millions or billions of file changes to zero-in the decryption key. There isn't a known attack to actually derive the key. But if they could do it then it'd be the master key for the whole volume, which is the main reason which that fact is worth bringing up. And one of the protections against this (the MAC settings) may be easy for the attacker to disable.

Also, if the attacker has code running on the victim's machine then they may be able to leverage timing information to gain insight into the key. Again no actual known attacks, just speculation. And in these cases, the attacker is typically well-positioned enough to not actually need the key.

Conclusion

For your typical "personal files" use case and with the typical attack model, EncFS is generally fine. If offers a level of protection that would satisfy the average user's expectations, even considering Dropbox's file revision history. The main caveat there is the Metadata thing, since it's the most reliably exploitable part of the story, and people rarely put much thought into how much an attacker can learn from just metadata.

But for more serious protection, especially if this is playing into some sort of automated or shared setup, then you probably want to encrypt a disk image rather than this sort of pass-through system. And you probably don't want Dropbox either.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 1
    This is really confusing. The accepted answer says that it is completely fine for protecting file contents, but the answers below state that an attacker could gain access to the contents in certain scenarios. – Maciej Krawczyk Sep 21 '17 at 09:55
  • 1
    @MaciejKrawczyk it depends on what you care about. If you're worried about an attacker finding out the number or size of files, or finding out which files you change, then encfs doesn't do it for you. If knowing that information puts you at risk, then don't use it. Contents aren't directly determinable, but could be inferred if you know more about how the data is used. Mostly it's fine for lite low-intensity use but not recommended for large scale operations. – tylerl Oct 14 '17 at 20:34
  • @finefoot It all comes down to what problems you actually expect the tool to solve. I re-wrote the whole answer to make this all more clear. – tylerl Feb 16 '20 at 22:27
  • Thanks for the great update to your answer @tylerl :-) – Simon East Feb 19 '20 at 06:16
12

As tylerl and user80945 already said, using EncFS in a Dropbox is not secure. More information can be found in this article.

An alternative would be CryFS. It is a new open source project that doesn't have the security vulnerabilities of EncFS, and also encrypts the metadata (e.g. file sizes and directory structure).

Disclaimer: I'm one of the developers of CryFS. We were using EncFS in a Dropbox ourselves and developed an alternative because of the mentioned shortcomings.

Heinzi
  • 239
  • 2
  • 3
  • 1
    In the article about EncFS it says "EncFS is not secure when an attacker gets multiple versions of the same encrypted file at different times. So if you upload your files to your Dropbox and then modify them, they are not securely encrypted anymore." Wouldn't the edited file no longer be the same file? – PKKid Apr 26 '16 at 21:20
  • 1
    It basically means you're screwed if you modify the file back to its original state sometime later (say you added a line in the end and then decided to remove it again). If you never modify it back, you might be safe, although the plaintexts are probably still highly correlated and I wouldn't vouch for security. – Heinzi Apr 28 '16 at 17:40
  • I'm actually not sure what EncFS does when you rename a file. If they reencrypt it, an attacker would get a second ciphertext of the same plaintext. – Heinzi May 03 '16 at 18:58
  • I'd give CryFS a try though as of 2018 the web site still says there is no stable version yet – oᴉɹǝɥɔ Feb 20 '18 at 14:53
  • CryFS looks interesting, but from my brief review of it just now: (1) the Windows version is still unstable, and I got occasional errors; (2) it's very slow - I was only getting ~2mb/sec rates at copying a large file into the folder; (3) it can create *hundreds* if not *thousands* of folders and files on your system, which might explain why it's so slow; and (4) command line only, no GUI (but at least the commands are pretty simple). It *is* apparently more secure, but I'm not confident about the usability yet. – Simon East Feb 14 '20 at 07:15
8

If I understand the security audit report correctly, one should not use encfs for encrypting Dropbox: Dropbox saves several versions of all files and this can be exploited for an attack.

Anyone having access to your Dropbox account has access to these different versions. I do not know how many versions an attacker would need and I am by no means an expert on this subject, hence I cannot judge the impact of this.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
user80945
  • 81
  • 1
  • 1
  • Welcome to Information Security Stack Exchange! I took the liberty of removing the last part of your answer, as that does not add to the actual answer. If you disagree with my edit, you can roll it back - click on the "edited ... ago" link to go to the edit history, where you have the rollback option. Meanwhile, enjoy your stay! – S.L. Barth Jul 14 '15 at 08:46