Encrypted storage with CryFS
Secure file storage is something that’s high up on my list of priorities. All my data is encrypted at rest, mostly using LUKS. Some of my data, however, is synced to various devices using remote file systems (think Nextcloud or Dropbox). I enjoy having a bit of security on top of those services, because I don’t always trust where the data is stored.
For many years, I accomplished this with EncFS. A userland filesystem (FUSE) which can basically encrypt the contents of a directory. The encrypted directory can then be synced using your favourite syncing tool (including rsync, of course). Now, EncFS hasn’t been maintained for a while, so I’d been meaning to switch to something else.
Enter CryFS. It’s similar in nature to EncFS: it transparently encrypts a directory, and the encrypted directory can be synced to other devices.
Other solutions exist, such as gocryptfs, but it’s not included in the default Fedora package repository, and I’m a lazy git.
Block size matters
When encrypting my music collection, I encountered a problem. CryFS created millions of files to store some 50k audio files. The storage backend didn’t like that, syncing was very painful, and my local filesystem was unhappy.
Turns out CryFS tries a bit too hard to be secure. In addition to encrypting the contents and names of files, it also tries to hide the sizes of files. It does this by splitting each file into multiple blocks of 32kB each. The average file size in my music collection is 8MB, or some 25 blocks per file! Each block is stored as an encrypted file, which explains the millions of files in the encrypted directory.
The block size can be specified when creating an encrypted directory. Unfortunately the list of options is rather limited, but out of the available options 1MB turned out to be the sweet spot for my use case. This significantly reduced the number of files to be synced. There are now only 9 times more encrypted files than plain files. They do take up a bit more space, roughly 10% more.
Next time you create a CryFS directory, giving the block size some thought will save you some tears.
— Elric