xkcd

[darkspork]

Partially due to Bitcoin, I've been looking into methods of storing encrypted data, and one particularly amusing one came to mind:

Is there a simple way to encrypt a directory in such a way that its contents are encrypted (both data and metadata, including file/directory structure), but files can be written without a key? I know about asymmetric cryptography, so it's certainly possible - a single file can be encrypted this way using a public key, so it would be trivial to encrypt individual files with the key and plop them in a directory, but what if you wanted to encrypt file names and directory structure in this manner as well? Furthermore, what if you wanted to append encrypted data to the end of an encrypted file without decrypting the file? What if you wanted to delete a specific file from an encrypted volume without decrypting any of it first, perhaps denying it even existed before you tried to delete it?

I'm wondering if an implementation of (most of) this already exists (maybe some flags I missed in the encryptfs man pages). I know it's possible at least in theory - perhaps by creating an asymetrically encrypted log of all requested activity on the encrypted volume, which would be postponed until it was decrypted with the private key. If not, it might make for an interesting shell script.

[undecim]

Partially due to Bitcoin, I've been looking into methods of storing encrypted data, and one particularly amusing one came to mind:

Is there a simple way to encrypt a directory in such a way that its contents are encrypted (both data and metadata, including file/directory structure), but files can be written without a key? I know about asymmetric cryptography, so it's certainly possible - a single file can be encrypted this way using a public key, so it would be trivial to encrypt individual files with the key and plop them in a directory, but what if you wanted to encrypt file names and directory structure in this manner as well? Furthermore, what if you wanted to append encrypted data to the end of an encrypted file without decrypting the file? What if you wanted to delete a specific file from an encrypted volume without decrypting any of it first, perhaps denying it even existed before you tried to delete it?

I'm wondering if an implementation of (most of) this already exists (maybe some flags I missed in the encryptfs man pages). I know it's possible at least in theory - perhaps by creating an asymetrically encrypted log of all requested activity on the encrypted volume, which would be postponed until it was decrypted with the private key. If not, it might make for an interesting shell script.

A tar file with public key encryption should do what you want. IIRC, tar files are just concatenations of files in 512-bit blocks, with a 1-block header before each file. So to add a file, you would just put together the file and header, encrypt it, and append it to the tar file. Then you could read the file with the private key.

However, a writer could sabotage your tar file by writing a header that says the file is several terabytes large, and not adding any data. (as well as many other trickses with the header)

[Yakk]

What do you mean by "deleted"? Because it is difficult to prevent later reconstruction of the data without destroying it. And a destructive delete operation that does no harm if the file isn't there seems tricky.

[darkspork]

A tar file with public key encryption should do what you want. IIRC, tar files are just concatenations of files in 512-bit blocks, with a 1-block header before each file. So to add a file, you would just put together the file and header, encrypt it, and append it to the tar file. Then you could read the file with the private key.

However, a writer could sabotage your tar file by writing a header that says the file is several terabytes large, and not adding any data. (as well as many other trickses with the header)

The one problem I see: will tar allow you to append to existing files or delete (unlink, not overwrite) them? I don't think that's entirely possible.

What do you mean by "deleted"? Because it is difficult to prevent later reconstruction of the data without destroying it. And a destructive delete operation that does no harm if the file isn't there seems tricky.

That was a theoretical "cool feature" that I really don't see mathematical sense in. I really can't make heads or tails of it either.

[userxp]

Is there a simple way to encrypt a directory in such a way that its contents are encrypted (both data and metadata, including file/directory structure), but files can be written without a key? I know about asymmetric cryptography, so it's certainly possible - a single file can be encrypted this way using a public key, so it would be trivial to encrypt individual files with the key and plop them in a directory, but what if you wanted to encrypt file names and directory structure in this manner as well?

Encrypting file names is just a matter of applying the same cryptographic protocol to them (nowadays you can implement a filesystem in pretty much any language thanks to FUSE). The hard problem is maintaining the file structure in a secure way. Either:
a) The files are stored in a secure place (such as a server), that the attacker cannot reach, in which case you don't even need encryption (except for extra security).
b) The files are stored in an insecure place (such as a hard drive), in which case the attacker can always just overwrite everything with zeros.

These two are out of the question. The only remaining possibility I can think of is to have the files stored in a distributed network which allows appending but not deleting (unless you control a big part of the network, that is). In that case you probably can't "delete" anything, but since you can't tell encrypted data from random data without knowing the key, you could always claim that that file is just random garbage (and make it more plausible by uploading random garbage all the time).

Furthermore, what if you wanted to append encrypted data to the end of an encrypted file without decrypting the file?

I don't know if there is any easier way, but you could always add a new file and then automatically append it to the previous one when decrypting.

Also, Gamma Energy is an awesome game.

[Zamfir]

I guess deletes are possible for the party who inserted that specific file. They could just remember which bytes "belong" to them and replace them by an equally-sized other file, filled with random junk or something innocuous.