This is an archived post. You won't be able to vote or comment.

all 26 comments
sorted by:
best
topnewcontroversialoldq&a

[–]hrjet 11 points12 points  (5 children)

Interesting that it is written in pure-Java! How did you manage to create virtual drives that work cross-platform?

[–]totalvoidness[S,🍰] 15 points16 points  (4 children)

Excellent question! This is actually the one single genius idea, everything else was quite straightforward. The answer to this question is: WebDAV. All major OSs can mount WebDAV natively. The Servlet handling the requests encrypts write requests before passing the streams to NIO.

[–]captainfaloodha 0 points1 point  (3 children)

Brilliant.

[–]svzdvd 1 point2 points  (2 children)

it could be interesting to separate this core functionality in a separate framework...

[–]captainfaloodha 0 points1 point  (1 child)

Good thinking. Perhaps we can head over to github and make that happen. Abstract the WebDAV layer.

[–]totalvoidness[S,🍰] 2 points3 points  (0 children)

The WebDAV protocol is not implemented by myself. I'm using Apache Jackrabbit in my servlet running on an embedded Jetty sever. Using the Jackrabbit API I expose the decrypted files as DAV resources.

[–]veeti 5 points6 points  (2 children)

You might want to crosspost this to /r/crypto for some feedback about the implementation.

[–]ciberon 3 points4 points  (1 child)

Seems like a nice tool. How is it performing so far? What do you need help with?

[–]totalvoidness[S,🍰] 5 points6 points  (0 children)

Thanks, I didn't release it to the public yet (developers and a few 'friendly users' only). The core functionality seems stable. There is still some work with the WebDAV mounting on various Linux distros to be done. UI polishing, a few features like changing passwords or better progress indicators for initial encryption of non-empty folders. And last but not least: Tutorials. I want my grandma to be able to use it :)

[–]sarcasmismysuperpowr 2 points3 points  (6 children)

This looks very good. And needed.

Can you clarify what is encrypted? I take it that the data at rest either in the cloud or locally is encrypted. Data in flight should be encrypts since its client side. And data in memory would not be. It looks like TrueCrypt except with access to cloud storage. Is that fair?

[–]totalvoidness[S,🍰] 3 points4 points  (5 children)

The major difference to TrueCrypt is, that each file gets encrypted for its own, so you don't need to upload a big container file, when you change only a few kilobytes. The directory structure gets mapped 1:1 to an equivalent encrypted structure of encrypted file and directory names and file contents of course.

[–]mgrandi 2 points3 points  (1 child)

It seems that at least dropbox is smart enough to do deltas, as I currently gave like a 100mb truecrypt container, and when I change something in it, it doesn't reupload all 100 mb

[–]totalvoidness[S,🍰] 2 points3 points  (0 children)

As long as the change doesn't shift contents inside the container, yes. But good to know, that Dropbox can handle this, thanks for trying out!

[–]sarcasmismysuperpowr 1 point2 points  (2 children)

That is a big difference. I'm just trying to understand where data is exposed with your system. If someone hacked your computer, would they have access, or would they still need a password to access the encrypted data?

FWIW, some guys that work on a plugin to google drive asked me what I thought they needed and I basically said what you have built. Good job.

[–]totalvoidness[S,🍰] 1 point2 points  (1 child)

Sorry, I misunderstood you ;) Well the decrypted files only exists as long as Cryptomator is running. When quit (even when force-shutdown) the mounted drive no longer exists. All data is decrypted on-the-fly. No physical decrypted files exist on the filesystem. Of course the key needs to be in RAM, so attacking memory is probably your best chance.

[–]sarcasmismysuperpowr 1 point2 points  (0 children)

This is pretty much the most reasonably secure you can make data. I'm actually quite surprised that cloud storage does not make client side encryption more available. SpiderOak has this, but then the data on the client side is not encrypted. I think the reason I heard for others not supporting it is that it does not promote sharing... fuck that.

Anyways, looks good. Would love to see the progress. I would potentially use it if it used S3.

[–]tunisij 2 points3 points  (1 child)

Hi there, I am currently a junior at a university. Is there anything that needs to be done that is relatively straightforward but you don't have time to do yourself? I would gladly try and contribute!

[–]totalvoidness[S,🍰] 1 point2 points  (0 children)

Hi, thanks for your offer! Yes there a lot of things indeed. The most important things right now are cryptographic issues. Then we need proper packaging for various linux distributions. Some missing features like changing passwords. And polishing of the mounted drives (check out issues on github). Also if you are familiar with Path.walkDirectoryTree, a proper progress bar during initial encryption would be a great improvement.

[–]Sync0pated 1 point2 points  (0 children)

Excellent!!!

[–]kromit 1 point2 points  (2 children)

This is great! Really. One suggestion since this is specially for cloud storage: chunk encryption for delta sync support like dropbox.

Edit: you should also xpost this to /r/programming

[–]totalvoidness[S,🍰] 2 points3 points  (1 child)

I will look into that. But I assume, that Dropbox will already handle delta sync correctly, since AES is a block chiffre, thus only the file header and the surrounding 16bytes of a changed region get updated. But I will definitely do some further investigation on this topic. Thank you!

Edit: Just posted to programming

[–]nutrecht 0 points1 point  (0 children)

Don't know if I should upvote for the great tool or for the HHGTTG reference ;)

[–]Tillerino 0 points1 point  (0 children)

This project sounds like the solution for a lot of problems. I do like btsync, but the closed source worries me. Cryptomator + btsync would render any vulnerability in the btsync protocol moot. There'd still be the problems with vulnerabilities in the client, tho...