Feature: let user choose an encryption algorithm for a repository #894
Comments
|
Hi, you can use
Here, XChaCha20-Poly1305 does not use AES at all. |
|
@rfjakob i don't see in docs any information about how to use twofish cipher, serpent or at least kuznyechik. Also, there are no info about cascade cipher modes |
|
Sorry, there are no cascade cipher modes, and the ciphers listed above are
the only options.
…On Thu, 23 Jan 2025, 23:49 Robert Vitonsky, ***@***.***> wrote:
@rfjakob <https://github.com/rfjakob> i don't see in docs any information
about how to use twofish cipher, serpent or at least kuznyechik.
Also, there are no info about cascade cipher modes
—
Reply to this email directly, view it on GitHub
<#894 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACGA74OFR3AGVVGBCG3X3L2MFWYRAVCNFSM6AAAAABVVSUBF2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJRGE3TINZRGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
What you think about add some ciphers (at least those i listed above) and maybe even cascade encryption mode? I've created another issue about it #895 gocryptfs looks interesting, but for me as user it is suspicious why i can use only encryption algorithms that in wide use nowadays and there even a lot of hardware to accelerate its performance (it works to attackers too) but i can't choose alternative, that i trust in. If you have at least 2 encryption implementation (maybe 3 if count another AES mode), then we have to just find another ciphers implementation for golang, implement some bindings for gocryptfs and provide option to use new algorithms. |
The problem
Hey, i just found gocryptfs and it feels good, but as i understood gocryptfs supports only AES encryption.
That's good and fast, but it looks like gocryptfs is just yet another tool curated by CIA that let users encrypt data with a way that will be unbreakable by random people on the internet and will be easy to decrypt by government, since AES encryption is designed and selected by US government.
Known how it works and we have a lot of cases like with DES, where algorithm has been designed by government this way to make it resistant to usual people and even small groups of people since they have no enough powerful computers, but weak against resources available for government.
The key problem in gocryptfs design i see is user have no chance to choose another algorithm that would be resistent to attackers who know about weakness and backdoors in AES and have resources to attack it.
The solution
Implement alternative algorithms to encrypt data and provide some option to setup new repository with specific algorithm or even cascade of algorithms like
aes->twofish->serpentortwofish->kuznyechik. You may check example with list of available algorithms in veracrypt.In case with cascade encryption we have to use derived keys for every algorithm.
This feature would allow users to choose encryption they trust in.
I think implementation must not be difficult, since we have to just implement new variant of cipher with the same interface.
Custom algorithm probably will have worsen performance than AES, but that's not a problem for people who concerned about security over performance.
Usage could looks like that:
gocryptfs --init --cipher twofishgocryptfs --init --cipher twofish,serpentgocryptfs --init --cipher aes,kuznyechik,serpentInformation about used algorithm would be added to config file in repository
The text was updated successfully, but these errors were encountered: