Safe

Safe is an application that makes it easy to encrypt your files. When you encrypt your files with Safe they are rendered unreadable to anyone who doesn't have your password.

Safe is cross-platform and currently runs on Windows and Mac OS X. It works with all applications and file types and can store encrypted files anywhere. It's also compatible with EncFS volumes.

Safe is licensed under the GPLv3 and is based on free software.

Follow Safe news on Twitter.

Follow Safe development on GitHub.

The release notes have detailed information about what user-visible changes are made in each version as well as download links to all past releases.

The latest sources are available on our GitHub repository.

If you suspect you've found a crash or bug in Safe, please report it. Please include full reproduction steps if possible, that will drastically improve response time.

If you suspect you've found a serious security vulnerability in Safe, it may be best to first report it to us (PGP key) privately. You may also report the flaw on the public GitHub issues page but use your best judgment before doing that.

All development happens on Safe's GitHub page. Creating a fork and submitting a pull request is currently the best way to contribute.

If you're a security researcher who is interested in doing a security-focused audit of the Safe codebase, we'd love to help! Working together might help to produce a more-informed audit and will make it easier for us to incorporate the recommendations you suggest. Just send us an email (PGP key).

Collaboration with us is of course unnecessary but I believe that communication and working together are essential to producing something great. At the end of the day we just want Safe to be a utilty that everyone can use and trust and we'll get there faster if we work together.

To set Safe up, you must provide it with a folder to store your encrypted files in and a password to protect them.

Once set up, Safe provides a virtual drive that you can use just like you would use a normal disk drive. You can use any program and store any type of file in this drive. Your files will appear in unencrypted form in this virtual drive but behind the scenes Safe will be storing your files in encrypted form.

Safe emulates a normal disk drive and therefore works with all of your existing applications.

Safe can store encrypted files wherever normal files can be stored. This can be on your normal hard drive, on an external hard drive, on a usb key, on a network share, on a NAS, on your Drobo, or on Dropbox.

Safe shines as a painless way to add file encryption to existing storage products that you already own.

Safe is derived from EncFS, a user-space encrypted file system based on FUSE. Its EncFS roots make Safe fully compatible with existing EncFS containers and we intend for it to stay that way.

Unlike EncFS, it does not use FUSE to integrate with your operating system. Instead Safe hosts a localhost WebDAV server and uses your operating system's existing WebDAV functionality to provide the native interface. This makes Safe more portable and more stable than FUSE-based user-space file systems. The increased stability claim is due to the fact that Safe doesn't depend on a third-party kernel-level component.

Unfortunately, there is no native version of Safe for GNU/Linux yet.

It's not all bad, you can still natively use Safe volumes from GNU/Linux. Safe aims to be 100% compatible with EncFS, a GNU/Linux application. EncFS is capable of mounting Safe volumes and vice-versa. This is intentional and we intend for this to always be true.

If you're having trouble mounting Safe volumes using your distro's EncFS package, try our fork. Sometimes distros can have out of date packages.

Safe's goal is to protect you against offline attacks. This means that it makes it extremely difficult for attackers to access your data when they only have access to your encrypted data. E.g. your hard disk is stolen or your data is hacked from an online storage service. To accomplish its goal, Safe makes sure your files are never stored in unencrypted form.

Safe cannot protect you from attackers who have obtained access to your computer while it is running. E.g. a computer virus, or someone who is physically at your computer. In general, if your computer has been compromised while it is running, an attacker already has unrestricted access to all your keystrokes and unencrypted RAM. Security in this situation is futile so it's important that you password protect your computer and use best practices when it comes to protecting yourself against computer viruses.

Like EncFS, Safe encrypts each file individually. While this protects the data of each individual file, an attacker still has access to other metadata, e.g. approximate file size, last modification time, number of files. There are other encrypted file system that protect this data as well, e.g. TrueCrypt, but it comes with a cost. For more information about the tradeoffs here, see the EncFS extended introduction page.

By default, Safe encrypts files in EncFS paranoid mode. From the EncFS man page:

Cipher: AES

Key Size: 256 bits

PBKDF2 with 3 second runtime, 160 bit salt

Filesystem Block Size: 1024 bytes

Filename Encoding: Block encoding with IV chaining

Unique initialization vector file headers

Message Authentication Code block headers

External IV Chaining

I'll attempt to describe the procedure that Safe, via EncFS, uses to encrypt each file under the paranoid configuration.

First, both the encryption of a file's name and a file's data are dependent upon the directory path that the file resides in. For example, both the files /foo/bar/baz.txt and /foo/bar/quux.txt are both encrypted using a numeric seed value derived from the path, /foo/bar . We'll call this value the directory IV.

To encrypt the file name, Safe pads the file name to the nearest 128-bit block then encrypts it in AES-CBC mode using an IV that is derived from the directory IV. Finally the filename is Base32 encoded.

Each file is given a random 8 byte IV, called the file IV. This IV is stored in the header of the file. The header is encrypted in AES-CFB mode using an IV that derived from both the directory IV and the file name.

The file data is split up into 1016 byte blocks, then an 8 byte MAC is prepended for a total of 1024 bytes. Each 1024 byte region is encrypted in AES-CBC mode using fileIV ^ block_index as the IV. If the size of the file is not 1016-byte aligned, then the trailing data is instead encrypted in AES-CFB mode.

All encryption uses the same 256-bit master key. The master key is randomly generated when the encrypted container is created. It is encrypted and stored with a key that is derived from the user's password using PBKDF2 with 3 seconds of CPU time and a 160 bit salt.

It's not! Safe is a user-friendly port of EncFS to Windows and Mac OS X.

In short, Safe is file-based and TrueCrypt is block-based. Neither is strictly better and the pros and cons of both approaches are explained in detail at the EncFS extended introduction page.

In general, if you're wondering why you'd use Safe over TrueCrypt, here is quick summary:

Safe allows you to use your existing EncFS encrypted data on Mac/Windows.

Per-file encryption is much faster on network storage you don't control, like NFS, SMB, Drobo, Space Monkey, Dropbox, Google Drive. Most of their drivers/protocols are file-based. TrueCrypt is block-based, i.e. all data is stored as a single potentially giant file. This affects the performance of algorithms focused on caching and deduplication.

Safe was designed to be much easier than TrueCrypt to use. Try making a new encrypted disk with TrueCrypt, then do the same process with Safe and you'll see what I mean. TrueCrypt is very intimidating to set up for people who don't intimately understand how cryptography works. Safe just chooses the most secure defaults.

Please understand that Safe is not a competitor to TrueCrypt. They are different tools for different situations. Use the right tool depending on the nature of the data you are keeping privte. Safe is another tool in this ecosystem of encyption tools. The main goal is to help more people take control of how their data is stored and transmitted and to hopefully bootstrap mainstream digital privacy awareness.

BitLocker and FileVault are full disk encryption systems from Microsoft and Apple, respectively. Since they are quite similar I'll compare them together against Safe and refer to the pair as BLFV.

Like TrueCrypt, BLFV works at the block-device level. This means it requires either a physical block device or a disk image to function. Instead, Safe works at the file system level. Neither approach is strictly superior and the better solution depends on your security requirements. In general, Safe's approach is more efficient and versatile when not using a physical block-device at the cost of some information leakage. You can find out more about the pros and cons at the EncFS extended introduction page.

BLFV isn't cross-platform. You cannot use a BitLocker encrypted disk on Mac OS X and you can't use a FileVault encrypted disk on Windows. Safe works on Windows, Mac OS X, and Linux. The Safe encryption format transparently works across systems.

BLFV isn't free software and the encryption format isn't public. The first problem with this is that independent security experts cannot verify the integrity of their system. To use BLFV confidently you must trust Microsoft and Apple that there are no backdoors and/or bugs in their implementation. Additionally, the lifetime of BLFV is limited to however long Microsoft and Apple will support it.

Safe's goal is to make sure that not a single bit of the data you store via Safe is stored on any persistent medium without being encrypted. To ensure that we must make some changes to your system: enabling pagefile/swap encryption, disabling hibernate mode, and using a RAM disk for the WebDAV cache (Windows only).

The pagefile/swap is essentially data on your hard disk that your system uses as virtual memory. In a low-memory situation, your system may take the private data you're working on in Safe and store it to the pagefile/swap. To ensure the privacy of your data we enable pagefile/swap encryption so your private data is never inadvertently stored in the clear. On Windows, the command we use to do this is:

> fsutil behavior set EncryptPagingFile 1

On Mac OS X, the command is:

$ defaults writes /Library/Preferences/com.apple.virtualMemory UseEncryptedSwap -boolean yes

Disabling hibernate mode

Hibernate is a feature that allows your computer to sleep without using any power at all. This is implemented by storing all the data in your RAM as an image on disk without encryption. To prevent this from happening, we disable hibernate mode. On Windows, command we use to do this is:

> powercfg /hibernate off

On Mac OS X, the command is:

$ pmset -a hibernatemode 0

Using a RAM disk for WebDAV cache (Windows only)

The system WebDAV client on Windows Vista and higher caches all data retrieved from a WebDAV server to the directory C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsSTore\Tfs_DAV . When you run Safe for the first time we install a virtual RAM disk device and place a junction point to that RAM disk at the WebDAV cache location. This ensures that your data is never cached to disk and only to your RAM.

Windows XP doesn't support pagefile encryption so you're at risk of having Windows automatically write your private data your hard disk unencrypted.

Additionally, Safe does not currently run with a RAM disk under Windows XP. This alone ensures that your data will be written to your hard disk unencrypted.

If your trust your local computer to never be compromised by an attacker then running Safe under Windows XP should be okay. Safe can still be useful when accessing and storing your private data on an external hard drive, or online storage service, for instance.

If your data is highly confidential and you don't have total control over your Windows XP computer, we highly discourage running Safe on Windows XP.

Safe was authored by Rian Hunter.

Safe would not be exist were it not for a few great free software projects: davfuse, EncFS, Botan, TinyXML, TinyXML2, and Protocol Buffers.

Special thanks to GitHub for hosting Safe's source code, website, and binaries.

Extra Special thanks to Dropbox for being an awesome employer and giving me the space and time to develop Safe independently.