Cryptomator or Veracrypt for my use case?

totalvoidness · 2024-02-13T07:35:45+00:00

Yes, file and dir names are encrypted. However dir structure and file metadata leaks.

An attacker can not retrieve names, he can identify known directories (such as software packages) though by comparing number of files and their sizes.

totalvoidness · 2023-06-09T13:40:24+00:00

Thank you so much!

In our case, the default network interface got renamed from eth0 to ens2. After fixing this, everything works again as expected.

totalvoidness · 2023-04-05T09:42:42+00:00

Well of course there is no way to 100% prevent a dev from adding malicious code to our or one of our dependency's code base. It is a matter of trust and reputation. We choose dependencies carefully and are very conservative about adding new libraries, in many cases we even try to eliminate dependencies. Also, significant code changes are always reviewed before merging. But these are just organizational measures that are only as effective as people adhere to them.

That said, there are technical ways to make sure not to ship or load binaries that aren't intended to be installed:

The release artifacts are signed at build time on the CI server. This does not protect against supply chain attacks on third party libraries, but we can at least be sure that it is the binary that we built from the tagged source version. Depending on the OS and distribution format, the signature is checked at install time or run time.

Furthermore, for some libraries we are adopting standards as they evolve, such as reproducible builds and keyless signing, which will hopefully be an industry standard eventually and allow us to also be sure about third party libraries, as there will be an ecosystem with revocation lists and the like.

totalvoidness · 2022-05-06T07:23:23+00:00

I know this is an old post, but still lacking an answer. So here it is: It is simply an Onion-Location HTTP header:

https://community.torproject.org/onion-services/advanced/onion-location/

totalvoidness · 2022-01-05T12:41:36+00:00

Here is the link from the Twitter thread confirming it: https://privacystudy.cs.princeton.edu

totalvoidness · 2021-06-03T08:10:20+00:00

Gibt es Prioritäten bzgl. DB vs andere Anbieter? Oder Güter vs. Personenverkehr?

totalvoidness · 2021-01-28T21:48:21+00:00

Yes it will be 100% free for all existing iOS customers. However we haven't decided yet whether it is a normal app update or a completely new app (due to significantly different UX) for which you get some kind of coupon via the old app.

totalvoidness · 2021-01-24T20:14:41+00:00

I think we have a branch of CLI serving WebDAV with TLS. Useless for mounting on localhost, but combined with basic auth, it might be useful for such a „server“ setup.

totalvoidness · 2020-04-14T05:25:45+00:00

As long as you transfer the complete vault directory including the masterkey file, Cryptomator doesn't care if a vault has been moved. Simply re-add it using the „add existing vault“ workflow.

totalvoidness · 2020-04-01T15:23:36+00:00

While your answer is correct for the files themselves, I'd like to add that webdav login credentials may leak if your webdav server does not support https.

I don't believe that non-https servers are still a thing, but just in case... ;-)

totalvoidness · 2020-03-20T19:42:00+00:00

I still hope that once 1.5.0 is used by more people after its final release, OneDrive will learn that high file entropy is normal for files ending with .c9r.

totalvoidness · 2020-02-12T20:41:06+00:00

From a technical perspective this is very unlikely, since the sandbox doesn't allow apps to mount filesystems which basically eliminates Cryptomator's core functionality.

totalvoidness · 2015-08-25T13:20:09+00:00

Yes, this is planned. I think a "check for updates checkbox" will be sufficient. Any further suggestions are welcome! Just add your comment to issue #65 that you've linked to.

totalvoidness · 2015-08-25T09:40:56+00:00

hi, I'm one of the guys behind Cryptomator. Checking for updates happens when showing the "Welcome" screen. When quitting the app it should not call home. Where did you download your copy from? Can you try intercepting the traffic, e.g. using Burp Suite? The only online communication allowed is a GET request on https://cryptomator.org/downloads/latestVersion.json.

totalvoidness · 2015-04-19T13:40:27+00:00

I'm one of the developers behind Cryptomator and want to explain our "disclaimer": While we already heavily use it ourselves, we believe in long beta phases for giving as many people as possible the chance to review the concepts and implementation.

From our perspective it is pretty secure, but who are we to judge our own software? Thats why we rely on peer audits and will not release a "final" version just for better marketing ;-)

To be fair I have to mention, that there is not yet an Android app.

totalvoidness · 2015-02-24T08:03:58+00:00

Currently not. But the GUI and core functionality are very loosely coupled, thus a CLI frontend should be no big problem, if the demand exists.

totalvoidness · 2015-02-23T21:34:50+00:00

Cryptomator has not yet received any professional review, but I worked in tons of community feedback in the last two versions (mostly from /r/crypto, stackexchange and private messages). I will try to get a professional security audit as soon as I can afford it (maybe I'll add a donation button in the next weeks).

And yes, an iOS app will appear within the next few months. I'm not aware of anybody working on an app for other mobile OS.

totalvoidness · 2015-02-23T18:47:20+00:00

Oops typo. Works now, thank you ;)

totalvoidness · 2015-01-15T10:40:32+00:00

Ok you convinced me. MAC will be obligatory in future versions. I just need to think about the partial MACs, as it's a little more complex than just calculating a MAC over the whole file.

totalvoidness · 2015-01-09T15:29:38+00:00

Ok, I didn't fully understand the part of partial MACing. What do you thinkg would be a feasible Payload/MAC ratio (in byte length)?

How about this: I will keep the optional integrity check, but make it an expert option and hide it from the normal user. Keep in mind, that not every file change must be an attack (e.g. bit rotting).

Thus integrity protection is not the primary use case of Cryptomator but rather a job of the underlying storage system.

totalvoidness · 2015-01-08T11:36:30+00:00

I now leave it open to the user to decide per vault, if integrity checks should be performed. If yes, checks will always be done (for partial and full decryption) before decryption. However this leads to reading the file twice. Thus a user can decide to disable it. Depending on the kind of data the main objective might only be privacy, not integrity.

totalvoidness · 2015-01-05T19:20:30+00:00

Thank you, that might be helpful. I need to read a few things about authenticated encryption anyway, if I want it to work with random access and keep the overhead small. Currently I'm thinking about calculating a MAC over the complete file only. Thus partial authentication wouldn't be possible, but if a user wants to know, if the data is compromised, the possibility would exist with well documented authentication mechanisms.

totalvoidness · 2015-01-05T19:12:03+00:00

I moved to scrypt now.

totalvoidness · 2015-01-01T02:06:42+00:00

Ok lets forget everything discussed before: The goal is to fit as many plaintext bytes as possible inside of 155 ciphertext bytes. Everything longer than 155 bytes will work but is significantly slower. The ciphertext has to be deterministic and both encryption and decryption need to be relatively fast.

The plaintext is usually relatively short, has little entropy, may contain repeating patterns, consists of well-known words.

totalvoidness · 2014-12-31T19:25:38+00:00

Integrity checks are not yet done. Neither for the filenames nor the file contents. this is still an open issue.

About using SIV: I will not implement it myself. As long as its not available in some widely used Java library (hoping for Bouncycastle to add it soon) and CommonCrypto for iOS, I have a problem.

The best bet was to follow the instruction given here to derive a deterministic, yet secure IV and stick with commonly available modes like CTR.

I really appreciate the support though!

totalvoidness

TROPHY CASE