Better to mount (and decrypt) on host or client?

[parasiteoflife]

I'm planning my migration from veracrypt to gocryptfs, but I'm wondering what's the best approach. I will access my files mostly through Windows, I read that the Windows implementation supports reading gocryptfs encrypted files so I'm wondering (even if we are not talking about using cross-platform software). Is it best to mount and share the decrypted mount from the host or share the encrypted directory and decrypt in the client? All this from samba of course.

Since I'm talking about Windows clients I'm betting the former because as I'm guessing xattr support is done in the unencrypted data, right? Since I use Windows and I do use xattr metadata (hidden, system, read-only, creation times), it would be best to decrypt the files on the host? Or it doesn't matter?

[rfjakob]

From a security standpoint, it's best to decrypt as late as possible. When you decrypt on the server, you may have decrypted data going over the network (not sure about samba encryption, maybe better than nothing).

[celesteking]

samba encryption uses AES-128-GCM.

# smb.conf
[default]
        server min protocol = SMB3_00
        server smb encrypt = required

[rfjakob]

Yeah, but how does the authentication work? Kerberos? Pretty good. Password? Weak afaik because of ntlm limitations.

…

On Sat, 17 Aug 2024, 15:17 celesteking, ***@***.***> wrote: samba encryption uses AES-128-GCM. # smb.conf [default] server min protocol = SMB3_00 server smb encrypt = required — Reply to this email directly, view it on GitHub <#851 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACGA7ZFHBG44LSKREH3QQ3ZR5EP3AVCNFSM6AAAAABI5LUSGOVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMZWGY3DKNA> . You are receiving this because you commented.Message ID: ***@***.***>