diff --git a/README.md b/README.md index 576e302..7e035cb 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,38 @@ -# globaleaks-eph-fs +# GLOBALEAKS-EPH-FS An ephemeral ChaCha20-encrypted filesystem implementation using fusepy and cryptography suitable for privacy-sensitive applications, such as whistleblowing platforms. [![Status](https://img.shields.io/static/v1?label=License&message=AGPLv3+%2B&color=%3CCOLOR%3E)](https://github.com/globaleaks/globaleaks-eph-fs/blob/main/LICENSE) [![build workflow](https://github.com/globaleaks/globaleaks-eph-fs/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/globaleaks/globaleaks-eph-fs/actions/workflows/test.yml?query=branch%3Amain) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/16022819c993415e8c82c25fd7654926)](https://app.codacy.com/gh/globaleaks/globaleaks-eph-fs/dashboard) [![Codacy Badge](https://app.codacy.com/project/badge/Coverage/16022819c993415e8c82c25fd7654926)](https://app.codacy.com/gh/globaleaks/globaleaks-eph-fs/dashboard) ## Overview -`globaleaks-eph-fs` provides an ephemeral, ChaCha20-encrypted filesystem implementation using Python, FUSE, and Cryptography. This filesystem is designed for temporary, secure storage with strong encryption, making it ideal for privacy-sensitive applications like whistleblowing platforms. +`GLOBALEAKS-EPH-FS` provides an ephemeral, ChaCha20-encrypted filesystem implementation using Python, FUSE, and Cryptography. This filesystem is designed for temporary, secure storage with strong encryption, making it ideal for privacy-sensitive applications like whistleblowing platforms. + +## Threat Model + +### Assumptions +- The system is designed to pass confidential files to antivirus scanners (e.g., [ClamAV](https://github.com/Cisco-Talos/clamav), [MAT2](https://0xacab.org/jvoisin/mat2)). +- The filesystem is ephemeral, meaning files are temporarily encrypted and erased after use. +- The system operates in environments where privacy, confidentiality, and integrity are crucial. + +### Potential Threats & Mitigations + +1. **Unauthorized File Access**: + - **Threat**: Unauthorized users may attempt to access confidential files stored in the filesystem. + - **Mitigation**: + - Data is **never written in plaintext** to permanent storage. All files are encrypted using **ChaCha20** encryption, ensuring that the contents are always protected. + - The **decryption process is handled automatically by the filesystem** when files are accessed, providing plaintext access only to authorized users. + - **Filesystem permissions** are enforced, ensuring that only authorized users can mount the filesystem and read or decrypt the files. Unauthorized users attempting to access the filesystem will not be able to decrypt or read the contents, as they lack the necessary permissions and encryption key. + - This approach guarantees that sensitive files remain secure, with no plaintext data stored outside the system's memory and filesystem scope. + +2. **Metadata Exposure**: + - **Threat**: Sensitive metadata, such as filenames, directory structures, or file sizes, could be exposed to unauthorized users or stored in operating system caches. + - **Mitigation**: **UUID4 filenames** are used, preventing any identifiable information from being exposed. This approach also mitigates risks from OS-level cache leaks, as filenames are randomized and non-meaningful. + +3. **Data Tampering or Integrity Issues**: + - **Threat**: An attacker could attempt to tamper with files by modifying their content or structure. + - **Mitigation**: **Filesystem permissions** restrict write access to authorized users only, preventing unauthorized modifications to files. + +### Conclusion +The ephemeral filesystem provides robust protection for confidential files through **ChaCha20 encryption**, **randomized UUID4 filenames**, and **strict filesystem permissions** that limit access and modification to authorized users. These features address the risks of unauthorized access, metadata exposure, and data tampering, ensuring the privacy and integrity of sensitive data during the scanning process. ## Installation