Java Filesystem Provider with integrated encryption
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
.gitignore
.travis.yml
LICENSE.txt
README.md
cryptomator.png
pom.xml
suppression.xml

README.md

cryptomator

Build Status Codacy Badge Codacy Badge Known Vulnerabilities

CryptoFS: Implementation of the Cryptomator encryption scheme.

Features

  • Access Cryptomator encrypted vaults from within your Java application
  • Uses a java.nio.file.FileSystem so code written against the java.nio.file API can easily be adapted to work with encrypted data
  • Open Source means: No backdoors, control is better than trust

Security Architecture

For more information on the security details, visit cryptomator.org.

Audits

Finding Comment
1u1-22-001 The GPG key is used exclusively for the Maven repositories, is designed for signing only and is protected by a 30-character generated password (alphabet size: 96 chars). It is iterated and salted (SHA1 with 20971520 iterations). An offline attack is also very unattractive. Apart from that, this finding has no influence on the Tresor apps1. This was not known to Cure53 at the time of reporting.
1u1-22-002 This issue is related to siv-mode.

Usage

CryptoFS depends on Java 8 JRE/JDK. In addition, the JCE unlimited strength policy files (needed for 256-bit keys) must be installed.

Vault Initialization

Path storageLocation = Paths.get("/home/cryptobot/vault");
Files.createDirectories(storageLocation);
CryptoFileSystemProvider.initialize(storageLocation, "masterkey.cryptomator", "password");

Obtaining a FileSystem Instance

You have the option to use the convenience method CryptoFileSystemProvider#newFileSystem as follows:

FileSystem fileSystem = CryptoFileSystemProvider.newFileSystem(
	storageLocation,
	CryptoFileSystemProperties.cryptoFileSystemProperties()
		.withPassphrase("password")
		.withFlags(FileSystemFlags.READONLY) // readonly flag is optional of course
		.build());

or to use one of the standard methods from FileSystems#newFileSystem:

URI uri = CryptoFileSystemUri.create(storageLocation);
FileSystem fileSystem = FileSystems.newFileSystem(
		uri,
		CryptoFileSystemProperties.cryptoFileSystemProperties()
			.withPassphrase("password")
			.withFlags(FileSystemFlags.READONLY) // readonly flag is optional of course
			.build());

Note: Instead of CryptoFileSystemProperties, you can always pass in a java.util.Map with entries set accordingly.

For more details on construction, have a look at the javadoc of CryptoFileSytemProvider, CryptoFileSytemProperties, and CryptoFileSytemUris.

Using the Constructed FileSystem

try (FileSystem fileSystem = ...) { // see above

	// obtain a path to a test file
	Path testFile = fileSystem.getPath("/foo/bar/test");

	// create all parent directories
	Files.createDirectories(testFile.getParent());

	// Write data to the file
	Files.write(testFile, "test".getBytes());

	// List all files present in a directory
	try (Stream<Path> listing = Files.list(testFile.getParent())) {
		listing.forEach(System.out::println);
	}

}

For more details on how to use the constructed FileSystem, you may consult the javadocs of the java.nio.file package.

Building

Dependencies

  • Java 8 + JCE unlimited strength policy files (needed for 256-bit keys)
  • Maven 3

Run Maven

mvn clean install

Contributing to CryptoFS

Please read our contribution guide if you would like to report a bug, ask a question, or help us with coding.

Code of Conduct

Help us keep Cryptomator open and inclusive. Please read and follow our Code of Conduct.

License

This project is dual-licensed under the AGPLv3 for FOSS projects as well as a commercial license derived from the LGPL for independent software vendors and resellers. If you want to use this library in applications that are not licensed under the AGPL, feel free to contact our sales team.


1 The Cure53 pentesting was performed during the development of the apps for 1&1 Mail & Media GmbH.