Hello User & Contributors

Your Back In Time (BIT) likely gave you a hint that the encryption function will soon change. As maintainers, we're keen on your opinion and perspective on this matter. Please direct questions and ideas preferably to the project's mailing list or one of the subordinated issues (see below), as this issue serves more for organization than substantive discussion.

Summary

The transition is about removing EncFS and provide one of two alternatives.

1. One is to improve the handling of encrypted file systems and encrypted storage devices.
2. The other is to replace EncFS with a similar alternative, e.g. GoCrypt.

In the current state of discussion it is preferred not to replace EncFS with an alternative library but to use encryption on file system level (e.g. LUKS) and improve BIT in a way to easier handle file systems like this.
The current state of discussion is that using LUKS or another file system encryption managed by the operating system itself (outside of BIT) is not a solution for all BIT users but for some (see Issue comment). So we better should replace EncFS if we do find contributors. If we don't we need to accept cutting of a feature and some users with removing EncFS without replacement.

The transition is a process not fixed in all details and planed to take until the year 2029 or 2030. It was born from the idea to remove EncFS or replace it because EncFS has known security issues and the upstream project is not active anymore. It is also the case that there is currently no Back In Time contributor replacing EncFS. To keep BIT secure and maintenable there is no alternative to deprecat EncFS in BIT and finally remove it.

Current state

• October 2024: feat: Add local gocryptfs support #1897
• June 2024: LUKS is not a replacement for all use cases (see Issue comment). So we should force to replace EncFS with GoCrypt or something else.
• May 2024: In the beginning.

The final goal

It is not finally decided how the situation will be at the end in some years. The state of the current discussion is to remove encryption from Back Im Time because it can be handled by the file system itself. However, the removal should be accompanied by improved documentation on how to use Back In Time with an encrypted filesystem. Additionally, it will be considered whether BIT should be enhanced with functionality that makes it easier for users to handle and mount encrypted filesystems (e.g., on external storage).

Issues to taken care of

• feat+docu(EncFS): Deprecation warning in the GUI and details in whitepaper #1735
• feat+docu(EncFS): Research about how to handle encrypted drives and how BIT can help with that #1736
• EncFS: Intense GUI warning about its removal #1904 (Scheduled for 1.6.0 before Debian 13)
• Implement alternative solution (e.g. handling encrypted volumes and improved docu). (PR feat: Add local gocryptfs support #1897)
• Disable creation of EncFS snapshot profiles in the GUI. But let existing ones work. (Scheduled early after Debian 13 release)
• If Debian 13 is stable and Debian 12 oldstable: Ask popcon about BIT 1.3.3 users on oldstable. If this is a relevant number we should add an EncFS removal warning also to 1.3.3 (as 1.3.4) and upload it to oldstable. This is for users updating Debian from 12 to 14.
• Disable EncFS code and offer docu about how to access existing EncFS snapshots without BIT. (Scheduled after Debian 14 release)
• Remove EncFS code. (Scheduled *after Debian 15 release)

Roadmap until year 2029 or 2030

Slow and transparent steps in a timeline of multiple years until round about the year 2029 or 2030 when Debian 15 will be released. Current stable Debian is version 12. It is build around the release cycles of Debian GNU Linux because Debian has very long release cycles and is the base for most of the distributions out there.

1. Year 2024: Clear and strong warning about the planed removing or replacement of EncFS.
2. After Debian 13 released (year 2025 or 2026): Disable creation of new EncFS profiles. This become "relevant" for "Debian stable" users round about year 2027/28 when Debian 14 is released.
3. After Debian 14 released (Year 2027 or 2028): Remove EncFS in upstream BIT.
4. Debian 15 in year 2029 or 2030: Our transformation then has reached Debian stable.

Additional details

• First discussion about deprecating EncFS was in Mark EncFS as deprecated feature and inform the users about it #1549.
• The security issues of EncFS at discussion:
  • EncFS Security Audit
    • https://defuse.ca/audits/encfs.htm (as updated blog post)
    • https://sourceforge.net/p/encfs/mailman/message/31849549/ (original mailing list entry)
  • EncFS development ? vgough/encfs#314 (a not-fixed meta issue with a list of several open issues related to the Security Audit)
  • Current security status vgough/encfs#659
  • Stream Cipher Used to Encrypt Last File Block vgough/encfs#9
  • https://wiki.ubuntuusers.de/Archiv/EncFS/ (German archived Ubuntu Wiki)