Decrypt filenames from reverse mount without gocryptfs.diriv

[skius]

I was just playing around with this and didn't see it documented anywhere, so I figured posting here might help someone:

If you have an encrypted backup of your files created using the reverse option (I believe this implies feature flags DirIV and AESSIV among others), you have lost your original plaintext files, and for some reason your gocryptfs.diriv files are missing from the encrypted backup, you can still recover their filenames.

1. Create directories recovered, recovered-enc, backup, backup-decrypted
2. Copy the encrypted backup files (the ones where the gocryptfs.diriv are missing) into backup
3. Using the same mount options and config as your original reverse mount, reverse mount recovered to recovered-enc
4. Copy recovered-enc/gocryptfs.diriv to backup/
5. Using the same config, but forward mount options, mount backup to backup-decrypted
6. You should see one level of decrypted files, but you will probably see errors when looking into subdirectories
7. Repeat the following steps for all folders:
8. Create a folder of the same name as the ones in backup-decrypted (i.e., your original folder names) in recovered
9. You should see an encrypted folder in recovered-enc appear with the same name as one in backup
10. Copy the gocryptfs.diriv file from that encrypted folder in recovered-enc/<encrypted_folder>/gocryptfs.diriv to backup/<encrypted_folder>/
11. The filenames in that folder should now be decrypted in backup-decrypted

All filenames should be recoverable this way.

My feature request to the authors: (assuming I didn't miss such an option) it would be great if we could "regenerate" such gocryptfs.diriv files from a "broken" (i.e., missing gocryptfs.diriv files) backup of a reverse mount natively from within gocryptfs (or some helper tool).

I suppose at that point the question becomes: Why do the gocryptfs.diriv files even exist for a reverse mount? If it's possible to recover the original filenames with just the config + password, what additional security do they provide? Is it just for performance reasons?

[yahesh]

Interesting find. I would have expected the DIRIV to actually be randomly generated but as it seems, it's just the sha256 hash of the corresponding path name (with the base folder being some static string): https://github.com/rfjakob/gocryptfs/blob/master/internal/pathiv/pathiv.go#L26-L31

Due to these coincidences it's possible to recursively re-generate the DIRIV files.

This also leads to the gocryptfs.diriv file in the base folders of different gocryptfs mounts to be identical even with different master keys. The DIRIV only starts to differ at the first subfolder level.