aboutsummaryrefslogtreecommitdiff
path: root/docs/reverse_mode.md
blob: 3f92edb9641ad0246f687c4c2811dfd44351ecd5 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

Reverse Mode
============

In **reverse mode**, gocryptfs provides an encrypted view of a
plain-text directory. The primary use-case are encrypted backups.

To make reverse mode useful, it uses deterministic encryption using
AES-SIV instead of AES-GCM.

The differences with respect to the "normal" (forward) mode as detailed
on the [Security](security) page are listed below.

File Contents
-------------

File contents are encrypted using AES-SIV-512 (RFC5297). The 512-bit
AES-SIV key is derived from the 256-bit master key by hashing it with
SHA512.

All values that are random in forward mode (File ID, Block IV)
are instead deterministically derived from the encrypted path, 
essentially using a salted hash (detailed in the section "derivePathIV").
As all derived values are explicitely stored in the ciphertext file,
decryption does not depend on knowledge of the derivation.

The encryption process is shown in the diagram below.

![](img/reverse-file-content-encryption.svg)

Notes:

1. The IV is passed to AES-SIV as described in section 3 of RFC5297
2. The block number N is contained in the IV as well as in the AAD.
   Either one or the other would suffice, but this construction simplifies
   the decryption process by keeping it identical to forward mode.
   The "duplication" is considered to not have
   any security impact because S2V (RFC5297 section 2.4) hashes IV and
   AAD independently before XORing them together.

File Names
----------

File name encryption is identical to forward mode, with the exception
that the directory IV (stored in `gocryptfs.diriv`) is not random.
It is deterministically derived, using derivePathIV, from the encrypted
path to the directory.

Because the encrypted path to the root directory is "" (the empty string),
this means that the directory IV in the root directory is always
`0xa8f7bac432ddc1cb3dc74e684d6ae48b = SHA256("\0DIRIV")`.

derivePathIV: Derive IVs from Encrypted Paths
----------------------------------------------

derivePathIV concatenates that encrypted path with a null byte and a
salt string, one of "DIRIV", "FILEID", "BLOCK0IV". The truncated
SHA256-hashes of each are the outputs.

![](img/reverse-derivePathIV.svg)
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-10 21:44:50 +0000