This patch implements the workaround proposed by
https://defuse.ca/audits/encfs.htm to create a --require-macs command
line argument. If this argument is passed, encfs will refuse to mount
with MACs disabled. When creating a filesystem, encfs will force MACs to
be enabled.
Addressed CR comments, and added docs.
It is only needed when "-o allow_other" is specified.
"-o default_permissions" causes libfuse to check file access
in userspace. This costs CPU cycles and causes additional
stat() calls - libfuse has to walk up the whole path to check
for "x" permissions on directories.
This improves "make benchmark-reverse" performance
by 30% when caching is disabled. It also gives a slight
improvement with caches on.
Before:
tests/benchmark-reverse.pl /var/tmp
* rsync 1 (initial copy)... 12179 ms
* rsync 2 (no changes)... 1840 ms
cleaning up... done
tests/benchmark-reverse.pl /var/tmp --nocache
* rsync 1 (initial copy)... 30696 ms
* rsync 2 (no changes)... 10552 ms
cleaning up... done
After:
tests/benchmark-reverse.pl /var/tmp
* rsync 1 (initial copy)... 12095 ms
* rsync 2 (no changes)... 1693 ms
cleaning up... done
tests/benchmark-reverse.pl /var/tmp --nocache
* rsync 1 (initial copy)... 21266 ms
* rsync 2 (no changes)... 6486 ms
cleaning up... done
Commit 76424a58cb enabled unique IV
for reverse mode by default, to get more testing and to increase
security of reverse mode.
The downside is that all IVs change when the inode numbers change,
which means that all of the ciphertext changes.
This may bite people who copied the plaintext to a new filesystem
- they will find out that they have to rsync everything again.
This commit disables unique IV for reverse mode by default. It can
still be enabled through expert mode.
Disabling the kernel cache make sure the encrypted view is always
up-to-date, however, it causes a factor 3 slowdown.
Please use --nocache manually if you want to disable caching.
Closes#60.
Also replaces the magic identifiers 513 and 514 by proper defines.
With pkg-config missing, a broken configure was generated, that failed
with a confusing error:
./configure: line 19272: syntax error near unexpected token `OPENSSL,'
./configure: line 19272: ` PKG_CHECK_MODULES(OPENSSL, openssl >= 0.9.7,'
Now, it errors out in the autoconf stage with:
configure.ac:23: error: possibly undefined macro: PKG_CHECK_MODULES
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
one search twice (one for adding the path of the library to LDFLAGS and
the other for eventually checking that the library is actually added)
for the same symbol (fuse_new) that resuls in the configure script
caching the first result of the test (which is 'false' because the
library where not still added) and reuseing it in the second test. A
solution is to use two different symbols for theses two tests).
This removes the need for a translated prompt. Fixes issue #20.
Also,
* merge boolDefaultNo() and boolDefaultYes() into boolDefault()
* do not accept arbitrary answers, but prompt again
Example Results
* Seagate Barracuda 7200.9, model ST3250824AS
* Linux 3.16.3
* EncFS 1c5c75c44f
Test | EncFS | eCryptfs | EncFS advantage
----------------|--------------|--------------|----------------
stream_write | 32 MiB/s | 38 MiB/s | 0.84
extract | 28744 ms | 30027 ms | 1.04
du | 495 MB | 784 MB | 1.58
rsync | 3319 ms | 62486 ms | 18.83
delete | 6462 ms | 74652 ms | 11.55
(eCryptfs is very slow for stat() on a classical HDD)
This prevents unexpected failures when you have set that variable.
Also, give Test::More the number of tests that will be run for
more informative output.