Security of decrypted files

[ghost]

If I open a container, where are the decrypted files stored? Are they stored in protected memory or decrypted files are stored temporaly in file system?

If files are decrypted at file system, are these files securely deleted after the container is closed? If so, what tool is used to securely delete the files?

If I expose open volumes via "Manage unsafe features", are these decrypted volumes written to file system, meaning recovery tool can restore decrypted data?

[hardcore-sushi]

When you open a volume, the decrypted files are not stored anywhere. Only the directory content is decrypted (in memory) to show you the list of files. Then when a file is read (you open it or export it), its content is decrypted on-the-fly by the app, still in memory. It works the same way as the original gocryptfs and CryFS programs, as well as most disk encryption systems, including that used by Android. In DroidFS, the decrypted content only touches the disk in two cases:

• when you manually export a file to the shared storage of course
• when you open/share a file with other apps from the explorer or using the "Expose open volume" unsafe feature (this is sometimes required due to Android APIs limitations). However, you can choose to disable this behavior by changing the Export method in the unsafe features settings to "Memory file".

[ghost]

So if I "Allow exporting/decrypting file" then I can specify via "Export method", whether to ezport/decrypt file via storage or memory file? In case of temporal usage of storage, is file safely deleted after export has been completed or there will remain traces on storage?

If I "Expose open volume" does DroidFS use some virtual memory drive for this? I mean what happen if expose volume and then disable this option, would I be able to find traces of decrypted volume on storage?

[hardcore-sushi]

No, "Allow exporting/decrypting file" only lets you to manually export a file from an encrypted volume to the shared storage (add the "Export/Decrypt" option is the file selection menu).

"Expose open volumes" works the same way as the internal explorer: no file is decrypted until read. If you turn on this feature, then disable it, no trace will be left, provided no other apps acceded the exposed volumes in between.

[ghost]

Thank you for clarification.