Current security status

[jsfan3]

Hello,
I would like to thank you for encfs. I just recently discovered it. It is very helpful with rsync because of the --reverse option. I have done several tests and am satisfied with it.

On the web, the use of encfs is discouraged because of a certain security audit from years ago. Even the Linux Mint package manager, when installing encfs, shows a warning window for possible security problems.

My feeling is that these are excessive concerns, however, I would like some information about them.

I wonder therefore:

• Have the problems raised in that audit been resolved?
• Having as a goal encrypted backups on a remote server of mine (a rented VPS) via rsync + encfs + --reverse option, are there real security issues or are they negligible?
• Does it change anything if a hypothetical attacker has access to the .encfs6.xml file because it is saved with the backup on the remote server?

I appreciate your clarification.

[Aetherinox]

Just to add to this.
While I think some of the audit points may have excessive concern, the project itself has been very stale. And from what I can find in regards to updates, most of the outlined issues have not been addressed, a few of them are still visible in the code.

I would honestly look at alternative solutions for now if you're worried / serious about security. Finding vulnerabilities is one thing, but the "speed" at which they haven't been addressed raises large concerns.

Nobody likes switching from a program they love. I hate it, but in this case, we're talking about security, and that is one of my fine lines to not cross.

Maybe Encfs 2 will release one day, and then I'll consider it as an option, but for now, I see nothing to suggest this project is anything but dead / abandoned.