Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Surely there's better technological solutions for encrypting block data in the cloud with lower risks of service ensh*tification?


I work on a project Blobcache, a content addressed store for exposing and consuming storage over the network. It supports full end to end encryption, and offers a minimal API to prevent applications from leaking data.

https://github.com/blobcache/blobcache/blob/master/doc/0.2_W...

You can persist arbitrary hash-linked data structures in Blobcache volumes. One such data structure is the Git-Like Filesystem, which supports the usual files and trees.

https://github.com/blobcache/blobcache/blob/master/doc/8.5_G...


Proton’s product changes over the last couple years are the exact opposite of that. I think they’re the only credible game in town for an email/drive service in the cloud that doesn’t have AI data mining risks.


You might be interested in Peergos [0][1] which is E2EE, fully open source (including the server), and self hostable. We've been audited by Cure53 and Radically Open Security.

[0] https://peergos.org

[1] https://github.com/peergos/peergos


My suggestion, if you can, would be to host the data on your own hardware. The Internet was initially conceived with this kind of decentralization in mind -- most people/organizations hosting their own websites/email/files/etc. And this is what we must go back to if we want to retake control from "cloud" providers.

Technically, this could be as simple as a Samba server behind Wireguard, but you could also, or in addition, look into other projects like Nextcloud especially if you are interested in sharing files with people.


The state of things isn't great IMHO. Im not sure I trust any of EncFS, CryFS, and gocryptfs.

Many leak metadata and/or have serious security concerns.


Metadata leakage is a fundamental issue when you go from block to object. I can think of some schemes that would help but they’re all kinda nasty lol


Of course, and I didnt intend to downplay the efforts of those projects. Just pointing out that they don't meet the requirements of most threat models.


I kinda gotta push back on that

Most threat models don’t include state level or equally well funded/motivated actors.

Some of those, in theory, are fine for most corporate usage - when used or implemented by knowledgeable people. Shipping it as a consumer product is a bit rougher of a story, although most companies seem to cope by not giving a shit (lol, oof)


Can you detail the current metadata and security problems with CryFS? Do they also extend/apply to securefs?


luks on an iscsi drive

Joking of course, but I am playing around with a similar setup, I should try it over the actual internet and see how much it sucks.

Now I am arguing with myself if you would want to run it over an encrypted tunnel. Theoretically no, but drive encryption is not really designed to protect data in transit who knows what sidechannel data would leak, so maybe... and the tunnel probably has better authentication than iscsi




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: