Cyberduck Mountain Duck CLI

Version 4 (modified by dkocher, on Apr 14, 2021 at 2:25:50 PM) (diff)

--

Cyberduck Help / Howto / Cryptomator / Architecture

Encryption Security Architecture

Please refer to Cryptomator security overview for more details.

Masterkey

Each vault has its own 256 bit encryption as well as MAC masterkey used for encryption of file specific keys and file authentication, respectively. Both keys are encrypted using RFC 3394 key wrapping with a KEK derived from the user's password using scrypt.

The wrapped keys (with some additional metadata) are remotely stored in a JSON file named masterkey.cryptomator located in the root directory of a vault.

Filename Encryption

Cryptomator uses AES-SIV to encrypt file as well as directory names. Additionally to the name, a unique directory ID of its parent directory is passed as associated data. This prevents undetected moving of files between directories.

File Header Encryption

The file header stores certain metadata, which is needed for file content encryption. It consists of 88 bytes.

  • 16 bytes nonce used during header payload encryption
  • 40 bytes AES-CTR encrypted payload consisting of:
  • 8 bytes filled with 1 for future use (formerly used for file size)
  • 32 bytes file content key
  • 32 bytes header MAC of the previous 56 bytes

File Content Encryption

The cleartext is broken down into multiple chunks, each up to 32 KiB + 48 bytes consisting of:

  • 16 bytes nonce
  • up to 32 KiB encrypted payload using AES-CTR with the file content key
  • 32 bytes MAC of
    • file header nonce (to bind this chunk to the file header)
    • chunk number as 8 byte big endian integer (to prevent undetected reordering)
    • nonce
    • encrypted payload

References