gocryptfs.diriv what is this

gocryptfs.diriv contains random data that is mixed into the encrypted file names. "diriv" = "directory initialization vector".

I you have two files called letter.doc in two directories, this random data makes sure that the encrypted filenames look completely different.

The files are needed for decryption of the file names - yes you need them!

Only way to not have them is to disable filename encryption.

Edit: For all the details take a look at https://nuetzlich.net/gocryptfs/security/#file-names

Ok to close this?

Hi, would it be possible to additionally prepend the diriv to the encrypted file? That way the filename could be decrypted even when the file is no longer in the directory. Thank you!

No, because the diriv must be the same for the whole directory. Otherwise you could end up with multiple files with the same decrypted file name (but different encrypted names, because the diriv is different)

My solution would be to re-encode any file name when the diriv is different. Only if the newly encrypted name conflicts with another in the same directory would I ignore the file and generate a warning.

If i understand correctly, this would mean you have to read all files in a
directory before you can create a new one. Gocryptfs tries hard to be fast
:)

How about checking that a conflicting encrypted name has the same diriv before overwriting? Otherwise, I would re-encrypt names whenever the diriv is different, and ignore everything else. The goal is to allow an accidental separation from the tree, not the import.

Note that when a file gets separated from its diriv, you can always recover the content (but you will lose the file name). Just put the file into a new directory, create an empty file "foo" there and rename your encrypted file over the encrypted "foo"

hi rfjakob sorry can u explain more with the "foo"? not tried to rename over a file before... thx