Cyberduck Mountain Duck CLI

Changes between Version 44 and Version 45 of help/en/howto/cryptomator


Ignore:
Timestamp:
Jul 14, 2017 8:25:00 AM (2 years ago)
Author:
dkocher
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • help/en/howto/cryptomator

    v44 v45  
    1515* no online services, no subscriptions, no accounts
    1616* no need to share your cloud storage provider credentials
    17 
    18 == Encryption Security Architecture ==
    19 
    20 Please refer to [https://cryptomator.org/architecture/ Cryptomator security overview] for more details.
    21 
    22 === Masterkey ===
    23 
    24  Each vault has its own 256 bit encryption as well as MAC masterkey used for encryption of file specific keys and file authentication, respectively.
    25  Both keys are encrypted using RFC 3394 key wrapping with a KEK derived from the user's password using scrypt.
    26 
    27 The wrapped keys (with some additional metadata) are remotely stored in a JSON file named `masterkey.cryptomator` located in the root directory of a vault.
    28 
    29 === Filename Encryption ===
    30  Cryptomator uses AES-SIV to encrypt file as well as directory names. Additionally to the name, a unique directory ID of its parent directory is passed as associated data. This prevents undetected moving of files between directories.
    31 
    32 === File Header Encryption ===
    33 
    34  The file header stores certain metadata, which is needed for file content encryption. It consists of 88 bytes.
    35 
    36  * 16 bytes nonce used during header payload encryption
    37  * 40 bytes AES-CTR encrypted payload consisting of:
    38  * 8 bytes filled with 1 for future use (formerly used for file size)
    39  * 32 bytes file content key
    40  * 32 bytes header MAC of the previous 56 bytes
    41 
    42  === File Content Encryption ===
    43 
    44  The cleartext is broken down into multiple chunks, each up to 32 KiB + 48 bytes consisting of:
    45 
    46  * 16 bytes nonce
    47  * up to 32 KiB encrypted payload using AES-CTR with the file content key
    48  * 32 bytes MAC of
    49   * file header nonce (to bind this chunk to the file header)
    50   * chunk number as 8 byte big endian integer (to prevent undetected reordering)
    51   * nonce
    52   * encrypted payload
    5317
    5418== Create new Vault ==
     
    10064* To delete a vault it cannot be unlocked. Choose ''Cancel'' in the vault password prompt to skip unlocking the vault after selecting the vault folder for delete.
    10165
     66== Encryption Security Architecture ==
     67
     68Please refer to [https://cryptomator.org/architecture/ Cryptomator security overview] for more details.
     69
     70=== Masterkey ===
     71
     72 Each vault has its own 256 bit encryption as well as MAC masterkey used for encryption of file specific keys and file authentication, respectively.
     73 Both keys are encrypted using RFC 3394 key wrapping with a KEK derived from the user's password using scrypt.
     74
     75The wrapped keys (with some additional metadata) are remotely stored in a JSON file named `masterkey.cryptomator` located in the root directory of a vault.
     76
     77=== Filename Encryption ===
     78 Cryptomator uses AES-SIV to encrypt file as well as directory names. Additionally to the name, a unique directory ID of its parent directory is passed as associated data. This prevents undetected moving of files between directories.
     79
     80=== File Header Encryption ===
     81
     82 The file header stores certain metadata, which is needed for file content encryption. It consists of 88 bytes.
     83
     84 * 16 bytes nonce used during header payload encryption
     85 * 40 bytes AES-CTR encrypted payload consisting of:
     86 * 8 bytes filled with 1 for future use (formerly used for file size)
     87 * 32 bytes file content key
     88 * 32 bytes header MAC of the previous 56 bytes
     89
     90 === File Content Encryption ===
     91
     92 The cleartext is broken down into multiple chunks, each up to 32 KiB + 48 bytes consisting of:
     93
     94 * 16 bytes nonce
     95 * up to 32 KiB encrypted payload using AES-CTR with the file content key
     96 * 32 bytes MAC of
     97  * file header nonce (to bind this chunk to the file header)
     98  * chunk number as 8 byte big endian integer (to prevent undetected reordering)
     99  * nonce
     100  * encrypted payload
     101
    102102== References ==
    103103 * [https://cryptomator.org/ Cryptomator]
swiss made software