Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gocryptfs.conf in cloud #50

Closed
bugspencor opened this issue Oct 18, 2016 · 5 comments

Comments

@bugspencor
Copy link

commented Oct 18, 2016

As a follow-up to issue #37:

Is it safe to upload gocryptfs.conf into the cloud, if the password is strong enough?

If yes, how strong should the password be?

@bugspencor bugspencor changed the title gocryptfs.conf gocryptfs.conf in cloud Oct 18, 2016

@rfjakob

This comment has been minimized.

Copy link
Owner

commented Oct 18, 2016

Yes. Let's do the math:

  • Trying one password takes about 0.3 seconds on my PC. Let's say the attacker can check a million passwords per second.
  • A random 16-character string of hex digits like "b5bb9d8014a0f9b1" has 16*4 = 64 bits of entropy. Brute-forcing this at 1 million passwords per second takes 290.000 years. Computed using Octave:
>> 2**64/1e6/3600/24/365/2
ans =    2.9247e+05
  • So I'd go for 64 bits of entropy in the password. If you want to use the xkcd method, use six words instead of four, this will get you 66 bits.
@rfjakob

This comment has been minimized.

Copy link
Owner

commented Oct 18, 2016

Also very good is this tables that uses hardware cost as the metric instead: http://security.stackexchange.com/a/95764

We use scrypt with 0.3 seconds instead of 3.8. Also the table is from 2002, so lets say hardware has gotten 100x times cheaper since then, and we arrive at 1000x. So read from the bottom row and divide by 1000.

@xelra

This comment has been minimized.

Copy link

commented Oct 21, 2016

I guess what the OP wanted to ask is whether it's safer to keep the gocryptfs.conf local or whether this doesn't have any security implications at all, fully realizing that it's a lot more inconvenient to copy the configuration file on every client manually.

@rfjakob

This comment has been minimized.

Copy link
Owner

commented Oct 21, 2016

Yes, not uploading it is more secure.

@bugspencor

This comment has been minimized.

Copy link
Author

commented Oct 22, 2016

Thanks for the answers!

So I will go for keeping the conf-files off-cloud.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.