Plasma-Vault alternative to Cryptomator; which algorithm to use?

(I would like to get the tag “plasma-vault”)

For cloud-synced backups, a secure and well integrated encryption tool is needed.

Currently I use Cryptomator, which uses fuse to mount the filesystem afaik. It works okay as a Flatpak, and most importantly its encryption algorithm is audited and specifically targeted towards cloud sync.

This means that the files are split up into small fragments (a bit like tar) which are then possible to sync incrementally. Using LUKS, Veracrypt or an AES archive would not work here.

Now Plasma Vault supports these Algorithms:

CryFS (Github)

Security proven in a Master’s Thesis (no independend audit) but otherwise okay maintained, cloud-optimized. No mechanisms against filesystem corruption if process gets killed during write operations!

EncFS

Audit revealed many issues that where not fixed to this day

The last commit was 4 years ago

As such, I think it should be removed from Plasma Vault.

gocryptFS (Github)

Spiritual successor of EncFS, written mostly in memory safe Go.

It had an audit with kinda mixed results.

It is actively maintained. Fedora specific issue: it is not packaged, but there is a COPR.


I suppose the best algorithm to use is gocryptFS.

Possible “quantum safe” algorithms would also be really good to have in Plasma Vault, as Signal, MullvadVPN, Apple and more are integrating them.