Stacked cryptographic filesystem on Android possible? Can cryptomator do it?

monozygote

Is there anything like this in Android?

Eg. with ecryptfs on linux your files and filenames etc are all encrypted. You can mount the encrypted dir anywhere (even on itself) as plaintext after you provide the passphrase - something like sudo mount -t ecryptfs ./dir-foo ./dir-foo (will ask for details like passphrase etc) and now you can just use dir-foo as you normally would any directory. Any writes just get encrypted on the fly and reach the disk. So you can use any sync software to sync your (encrypted) files/dirs. Obviously only the files that changed would be incrementally sync'd (unlike say a full-disk-encryption/block-encryption/volume-encryption solutions).

I think cryptomator offers something like this, but not exactly. I don't know much about it so here's my half-baked understanding of it:

Firstly, it's not hands-off transparent on-the-fly thingy. Say I want to "ecryptfs" the Documents directory on Android. With ecryptfs I would just do sudo mount -t ecryptfs /path/to/Enc-Docs /path/to/Documents and then whatever writes to Documents gets on-the-fly and transparently encrypted and stored into /path/to/Enc-Docs, there's no duplication. Then I can just use something like Syncthing or whatever to sync /path/to/Enc-Docs. I don't think cryptomator is any help here? I need to consciously drag/move the files from Documents to an open cryptomator vault every time I make changes, add files/folders, remove them etc. I likely also need to additionally press "Lock vault" before it actually writes them encrypted to the disk (not sure) ?

Also in this case the files/dirs are duplicated - one plain text version in Documents and one ciphertext version in cryptomator vault, so at-least twice the size (barring any compressions).

Do I have an exact ecryptfs like functionality for Android or can something like cryptomator be used to mimic it? Even if the duplication aspect is ignored, can we at-least automate the "copying/moving" of the files from desired dirs into corresponding locations in cryptomator's vault? Or anything else that can do all this?

Fupira

As far as I'm aware you won't be able to have any app do the same as

mount -t ecryptfs /path/to/Enc-Docs /path/to/Documents

specifically: you can't have an app "receive" writes to a certain filesystem folder in a traditional unix way.

How I'm understanding the documentation, Cryptomator doesn't support exposing the vault as a "Document Provider". The development of that feature seems to still be on hold.
This means you'd have to share, export/import, ... files out of and into the vault, if you want to encrypt or use them.
Though, editing and saving a file "shared" to another app seems to be supported, I don't think it's what you expect or need.

Since I don't have Cryptomator, and am using the following app for this kind of stuff, I'll describe it for DroidFS, which might offer what you need:
You can create an encrypted vault - with an encryption scheme similar to Cryptomator, aswell as one that also hides filesizes and folder structures - which will be saving encrypted data to a folder of your choosing (/path/to/Enc-Docs) on the storage of your phone. You can then sync that folder with Syncthing. I'd probably recommend the scheme which doesn't hide filesizes and folder structure, as Syncthing might have trouble with a lot of pretty small files.

An open vault can then be made visible in the Files app, it'll be listed as an entry after "Android" in the pull-out menu.
It's reachable by holding, then swiping your finger from the left side of the screen towards the middle - you can also use the "hamburger" button on the top left.
For that you'd have to allow the "Unsafe feature" of Storage Access Framework (Expose open volumes, Grant write access) in DroidFS' settings.
note: Storage Access Framework itself isn't unsafe, in the apps context it's labelled as that, as it allows you to let third party apps access the data in the vault - which in turn could save the files unencrypted.

If you now have any modern application, supporting the Storage Access Framework to write or read files, you can choose in the dialogue, in which you export/save/allow access to a folder or file, one from the open, exposed vault.
Files being written into it, edited or read, will be encrypted or decrypted on-the-fly by DroidFS and saved to the phones space only in encrypted form, once·.

if you don't want any traces of 'unencrypted' files on the phones filesystem, you'll have to choose "Export method" "Memory file" in the settings, just below where you allowed Storage Access Framework.
An app accessing the files can still write them (temporarily or permanently) to storage unencrypted though, but with this option it won't be DroidFS, unless instructed to.

Be aware that automatic backups, if the vault isn't opened, likely won't work properly this way, since you'd have to open the vault before apps are able to access it through the "documents provider".

Another caveat: You should also enable "Storage Scopes" for DroidFS, if you don't allow access to all files, and allow access to the folder with the vault in it. Otherwise DroidFS won't be able to properly delete "chunk" files, at least if you're using the encryption scheme which hides file sizes and folder structures.

I hope this is in any way helpful and apologize for (very likely lots of) grammar errors in advance. :')

monozygote

raccoondad Oh that's not what I'm trying to achieve, rather it's for passing data out over the Internet, not protecting data from apps/profiles on the phone itself since I'm content with the way storage scopes etc work. I just feel a bit uncomfortable using sync-over-the-net solution like syncthing for eg whose android fork is not maintained by the syncthing team. Nothing against the developer of syncthing-fork (android) and in-fact they have my eternal gratitude, but I don't know the source code etc so any oopsie moment (bug, compromise etc) means a ton of sensitive (to me) data just flying off insecurely over the Net (and maybe to unintended recipients). If everything is encrypted (which I can always check on the filesystem with) then it's less concerning (obviously).

Fupira Thank you very much! This sounds promising and I'll take a look. I think even if we cannot have the app "receive" writes to a certain filesystem folder in a traditional unix way that you mention, if I understand your description correctly, I can make it work. Trivial eg. secondary-profile syncs Documents, Downloads etc dirs to primary profile (say via syncthing or anything that's only constrained to talk over local-host so nothing leaves the device ever). The destination of such a sync in the primary profile is the folder structure inside DroidFS vault (or cryptomator vault once they have the feature you linked available). They should then do the on the fly encryption and write to wherever the encrypted vault actually lives. That is the only dir which is then Internet-Sync'd (maybe using syncthing again or whatever).

That way I can also ensure that the vault is always loaded (decrypted) before I log into my secondary profile(s) and their sync is active, since I always have to log into the primary profile before logging into secondary ones after reboot.

Let me trial this and see if it works among a few Android profiles and linux machines (assuming whatever droidfs writes can be decrypted with something similar on normal linux desktops).

raccoondad

No way, if you want a separately encrypted filesystem, make another profile or use private space