![]() Inside the ciphertext directory, a file named dirid.c9r will be created, which contains the directory ID of its parent folder. To alleviate this issue, a backup directory file will be stored during the creation of a directory. In theory, the contents of the encrypted content of these files can be recovered.īut since the filename encryption is dependent on the directory ID of the parent folder, which is only stored in the directory file, names of all items (files, directories, or symlinks) are lost. When a directory file is missing or damaged, the dirPath cannot be computed, which effectively makes the directory content inaccessible in the virtual filesystem. Its sole purpose is to increase data recoverability in case of missing or damaged directory files.īy obfuscating the hierarchy of cleartext paths using dir.c9r files, which contain directory IDs, the directory structure is more vulnerable to problems like incomplete synchronization or bit rotting. It doesn’t provide any additional security. This layer is optional and not required for a complete implementation of the Cryptomator Encryption Scheme. We use SecureRandom with SHA1PRNG, seeded with 440 bits from SecureRandom.getInstanceStrong().īoth keys are encrypted using RFC 3394 key wrapping with a KEK derived from the user’s password using scrypt. These keys are random sequences generated by a CSPRNG. ![]() Make sure format and cipherCombo are supported.Įach vault has its own 256 bit encryption as well as MAC masterkey used for encryption of file specific keys and file authentication, respectively. Verify the JWT signature using the masterkey. Read kid header and, depending on its value, retrieve the masterkey from the specified location. When opening a vault, the following steps have to be followed:ĭecode vault.cryptomator without verification. This is an example of an encoded vault configuration file: The JWT is signed using the 512 bit raw masterkey. It is a JWT containing basic information about the vault and specification what key to use. Vault Configuration Įvery vault must have a vault configuration file named vault.cryptomator in the root directory of the vault. Whenever your file manager accesses files through this virtual drive, Cryptomator will process this request via the following layers. WebDAV is an HTTP-based protocol and Cryptomator acts as a WebDAV server accepting so-called loopback connections on your local machine only. If they’re not available on your system, Cryptomator will fall back on WebDAV, as it is supported on every major operating system. With every access on your files inside the virtual drive, Cryptomator will en- and decrypt these files on-the-fly.Ĭurrently WinFsp (on Windows) and macFUSE (on macOS) and FUSE (Linux) are our frontends of choice. There are no unencrypted copies on your hard disk drive. Add, edit, remove files as you’re used to with just any disk drive.įiles are transparently en- and decrypted. ![]() Security Architecture Virtual Filesystem Ĭryptomator provides a virtual drive.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |