Title: Comparison of cloud storage encryption software
Author: Solène
Date: 19 February 2026
Tags: security privacy linux
Description: In this blog post, I compare software encrypting files to
be synced over public cloud storage
# Introduction
When using a not end-to-end encrypted cloud storage, you may want to
store your file encrypted so if the cloud provider (that could be you
if you self host a nextcloud or seafile) get hacked, your data will be
available to the hacker, this is not great.
While there are some encryption software like age or gpg, they are not
usable for working transparently with files. A specific class of
encryption software exists, they create a logical volume with your
files and they are transparently encrypted in the file system.
You will learn about cryptomator, gocryptfs, cryfs and rclone. They
allow you to have a local directory that is synced with the cloud
provider, containing only encrypted files, and a mount point where you
access your files. Your files are sent encrypted to the cloud
provider, but you can use it as usual (with some overhead).
This blog post is a bit "yet another comparison" because all these
software also provide a comparison list of challengers.
(HTM) A comparison done by gocryptfs
(HTM) A comparison done by cryptomator
(HTM) A comparison done by cryfs
# Benchmark
My comparison will compare the following attributes and features of
each software:
* number of files in the encrypted dir always using the same input (837
MB from 4797 files mades of pictures and a git repository)
* filename and file tree hierarchy obfuscation within the encrypted dir
* size of the encrypted dir compared to the 837 MB of the raw material
* cryptography used
# Software list
Here is the challenger list I decided to evaluate:
## Cryptomator
The main software (running on Linux) is open source, they have a client
for all major operating system around, including Android and iOS. The
android apps is not free (as in beer), the iOS app is free for
read-only, the windows / linux / Mac OS program is free. They have an
offer for a company-wide system which can be convenient for some users.
Cryptomator features a graphical interface, making it easy to use.
Encryption suites are good, it uses AES-256-GCM and scrypt, featuring
authentication of the encrypted data (which is important as it allows
to detect if a file was altered). A salt is used.
Hierarchy obfuscation can be sufficient depending on your threat model.
The whole structure information is flattened, you can guess the number
of directories and their number of files files, and the file sizes, all
the names are obfuscated. This is not a huge security flaw, but this
is something to consider.
(HTM) Cryptomator implementation details
## gocryptfs
This software is written in Go and works on Linux, a C++ Windows
version exists, and there is a beta version of Mac OS.
(HTM) gocryptfs official website
Hierarchy obfuscation is not great, the whole structure information is
saved although the names are obfuscated.
Cryptography wise, scrypt is used for the key derivation and
AES-256-GCM for encryption with authentication.
(HTM) gocryptfs implementation details
## CryFS
I first learned about cryfs when using KDE Plasma, there was a
graphical widget named "vault" that can drive cryfs to create encrypted
directories. This GUI also allow to use gocryptfs but defaults to
cryfs.
(HTM) CryFS official website
CryFS is written in C++ but an official rewrite in Rust is ongoing. It
works fine on Linux but there are binaries for Mac OS and Windows as
well.
Encryption suites are good, it uses AES-256-GCM and scrypt, but you can
use xchacha20-poly1305 if you do not want AES-GCM.
It encrypts files metadata and split all files into small blocks of
fixed size, it is the only software in the list that will obfuscate all
kind of data (filename, directory name, tree hierarchy, sizes,
timestamp) and also protect against an old file replay.
(HTM) CryFS implementation details
## rclone
It can be surprising to see rclone here, it is a file transfer software
supporting many cloud provider, but it also features a few "fake"
provider that can be combined with any other provider. Thoses fakes
remotes can be used to encrypt files, but also aggregate multiple
remotes or split files in chunks. We will focus on the "crypt" remote.
(HTM) Rclone official website
rclone is a Go software, it is available everywhere on desktop systems
but not on mobile devices.
Encryption is done through libNaCl and uses XSalsa20 and Poly1305 which
both support authentication, and also use scrypt for key derivation. A
salt can be used but it is optional, make sure to enable it.
Hierarchy obfuscation is not great, the whole structure information is
saved although the names are obfuscated.
(HTM) rclone crypt remote implementation details
## Other
ecryptfs is almost abandonware, so I did not cover it.
(HTM) ecryptfs is unmaintained and untested
encfs is limited and recommend users to switch to gocryptfs
(HTM) encFS GitHub page: anchor "about"
LUKS and Veracrypt are not "cloud friendly" because although you can
have a local big file encrypted with it and mount the volume locally,
it will be synced as a huge blob on the remote service.
# Results
From sources directories with 4312 files, 480 directories for a total
of 847 MB.
* cryptomator ended up with 5280 files, 1345 directories for a total of
855 MB
* gocryptfs ended up with 4794 files, 481 directories for a total of
855 MB
* cryfs ended up with 57928 files, 4097 directories for a total of 922
MB
* rclone ended up with 4311 files, 481 directories for a total of 847
MB
Although cryptomater has a bit more files and directories in its
encrypted output compared to the original files, the obfuscation is
really just all directories being in a single directory with filenames
obfuscated. Some extra directories and files are created for
cryptomator internal works, which explains the small overhead.
I used default settings for cryfs with a blocksize of 16 kB which is
quite low and will be a huge overhead for a synchronization software
like Nextcloud desktop. Increasing the blocksize is a setting worth
considering depending on your file sizes distribution. All files are
spread in a binary tree, allowing it to scale to a huge number of files
without filesystem performance issue.
# Conclusion
In my opinion, the best choice from a security point of view would be
cryfs. It features full data obfuscation, good encryption, mechanisms
that prevent replaying old files or swapping files. The documentation
is clear and we can see the design choices are explained with ease and
clearly.
But to be honest, I would recommend cryptomator to someone who want a
nice graphical interface, easy to use software and whose threat model
allows some metadata reveal. It is also available everywhere
(although not always for free), which is something to consider.
Authentication is used by all these software, so you will know if a
file was tampered with, although it does not protect against swapping
files or replaying an old file, this is certainly not in everyone's
threat model. Most people will just want to prevent a data leak to
read their data, but the case of a cloud storage provider modifying
your encrypted files is less likely.
# Going further
There is a GUI frontend for gocryptfs and cryfs called SiriKali.
(HTM) SiriKali official project page
(HTM) SiriKali GitHub project
Some self hostable cloud storage provider exists with end-to-end
encryption (file are encrypted/decrypted locally and only stored as
blob remotely):
The two major products I would recommend are Peergos and Seafile. I am
a peergos user, it works well and features a Web UI where as seafile
encryption is not great as using the web ui requires sharing the
password, metadata protection is bad too.
(HTM) Peergos official website
(HTM) Seafile official website