v2.0.0

(Same as v2.0.0-beta1)

Breaking changes

• The extended attribute names are now encrypted on macOS in the same way as Linux. This breaks compatibility with securefs < 2.0 if the platform is macOS.
  • This removes many ugly workarounds on macOS and improves privacy.
  • If the extended attributes are important to you, please export them and import later. A tool is provided here.

New features

• New command unmount and ismount are added.
• Background mounting (mount -b) is rewritten, such that
  • Background mounting is now supported on Windows (by creating a child process in an invisible console)
  • The foreground process will wait until either the child process mounts successfully or exits. The foreground process will exit with 0 for the former case and non-zero for the latter. The callers no longer need to read the logs to distinguish success from failure.
• Long name suffixes on lite format are now tunable. The default is changed from ... to .ll to improve Windows compatibility.
  • Existing repos can be migrated with migrate-long-name command. Windows users are encouraged to do so if the repo is in lite format.
• New option --max-idle-seconds will cause automatically unmount if the filesystem doesn't receive any requests for the given duration.

Bug fixes

• Fix a race condition for lite format when padding is enabled.
• Swallow most ENODATA/ENOATTR error logs as they are noisy.
• Fix recursive mounting on Windows.

v2.0.0-beta1

Breaking changes

• The extended attribute names are now encrypted on macOS in the same way as Linux. This breaks compatibility with securefs < 2.0 if the platform is macOS.
  • This removes many ugly workarounds on macOS and improves privacy.
  • If the extended attributes are important to you, please export them and import later. A tool is provided here.

New features

• New command unmount and ismount are added.
• Background mounting (mount -b) is rewritten, such that
  • Background mounting is now supported on Windows (by creating a child process in an invisible console)
  • The foreground process will wait until either the child process mounts successfully or exits. The foreground process will exit with 0 for the former case and non-zero for the latter. The callers no longer need to read the logs to distinguish success from failure.
• Long name suffixes on lite format are now tunable. The default is changed from ... to .ll to improve Windows compatibility.
  • Existing repos can be migrated with migrate-long-name command. Windows users are encouraged to do so if the repo is in lite format.
• New option --max-idle-seconds will cause automatically unmount if the filesystem doesn't receive any requests for the given duration.

Bug fixes

• Fix a race condition for lite format when padding is enabled.
• Swallow most ENODATA/ENOATTR error logs as they are noisy.
• Fix recursive mounting on Windows.

v1.1.1

Fix a potential buffer overflow when logging the operations regarding extended attributes.

v1.1.0

v1.1.0

• Extended attributes are now supported on Linux (in addition to macOS).
  • The xattr on macOS and Linux are encrypted differently, so syncing encrypted xattr across them is not possible now.
• On Windows, the full format supports symbolic links now. They are enabled automatically.
• Added more binary releases:
  • fuse-t variants for macOS releases.
  • arm64 variants for Linux releases.
  • musl-static variants for Linux releases. (These are statically linked to all dependencies so they can run on all distributions, regardless of libc versions).

Full Changelog: v1.1.0...v1.1.0

v1.0.0

Major version bump since changes are a lot.

New features

• New lite format repositories no longer have any restrictions on file name lengths (OS limits still apply, but underlying filesystem limits don't).
  • Here "filename" refers to individual components of the full path. For example, in /usr/local/bin, the filenames are usr, local, and bin.
  • Existing repositories can be upgraded by securefs migrate-long-name, provided that they don't have any symlinks.
  • Basically if a filename is too long, it is encrypted and stored in a SQLite database. This incurs a small performance overhead but such long names should be rare occurrences. For more information, see here.
• New options for full format repositories
  • Case insensitive yet case preserving (like the default behavior of NTFS)
  • Unicode normalization insensitive and preserving (like the default behavior of APFS/HFS+).
  • These enable better compatibility with native filesystems. Note both of the features cannot be changed after creation.
• The config file format and default name is changed
  • The config file is now in protobuf.
  • The default name is now .config.pb rather than .securefs.json, since some people do not like revealing the name securefs to potential peekers.
  • Everything except the password derivation parameters are now encrypted and validated. Information such as max padding size is no longer visible without the password.
  • Loading old repos with JSON config is still supported. To upgrade, please run securefs chpass (in which case the config file will misleadingly stay the same name but be protobuf).
• Creating format code 1 and 3 filesystems are now impossible. Mounting them still works.
• The internals of the code base is heavily refactored to allow for easier feature development in the future.

Performance

• Reads and writes are now coalesced such that throughput on non-cached disks are significantly faster.
• We have implemented a workaround for libfuse2's performance problem where threads are repeatedly created and destroyed. libfuse3 fixes this problem, but we cannot upgrade yet for macFUSE compatibility.
• The binary releases are built with link time optimization. It is difficult to get this to compile, so it is not listed in README. If you want to try, you can refer to release.yml.

Misc

• securefs now reports stable inode numbers on most cases.

0.14.3

Minor update.

The build system is tweaked to be more friendly to certain package managers.

0.14.2

Add mount option --plain-text-names to disable file name encryption/decryption.

0.14.1

Dependencies are no longer bundled with the source tree. This allows easier upgrade.

0.13.1

Critical bug fixes: all users should immediately upgrade.

0.13.0

Changelog

New features

• Argon2id is now the default password hashing algorithm. This provides stronger resistance against GPU and ASIC attacking. To apply to existing repositories, run chpass.
• Keyfile is now protected by password hashing too. To apply to existing repositories, run chpass.
• It is now possible to obfuscate file sizes (at the cost of performance). Only new repo can opt-in this behavior. Run create --max-padding=XXX for this.

Improvements

• Format 1, 2, 3 are now mounted multi-threaded. (Format 4 has always been multi-threaded).
• --trace are reworked to have complete information in logs.
• securefs is now built with link time optimization for better performance.
• Other misc performance improvements.

Upgrades

• Crypto++ is upgarded to 8.6.
• utf8proc is upgraded to 2.7.0.

Releases

Source release

To build from source, you need to clone the repo by git with git clone --recursive --depth 1. Alternatively, you can download the file with "full-source" in it. Do not download autogenerated archive on this page as they are missing submodules.