File encfs6.xml located in other place different where encrypted files are located
The encfs6.xml file is included in the same folder where the encrypted files are located. This can be a security risk as the encfs6.xml file contains the password and information about the tool used to encrypt the files (BoxCryptor) so a potential attacker could recover some information as the encryption algorithm used by BoxCryptor (AES-256) or try to find a bug in the encryption tool used.
So to avoid it I think it would be a great idea if it would be possible to have the encfs6.xml file located in a different place where encrypted files are located, for example in other local folder in my hard disk.
I mean to have the encfs6.xm file and encrypted files separately, so in this way if a hacker could access to my DropBox account, he wouldn't be able to get the encrypted password or know what tool and encryption algorithm was used to encrypt the files.
Even the encfs6.xm could be located in a WebDav folder or other synchronization tool similar to DropBox. BoxCryptor could read once the file and store it in RAM memory so no more access to the file should be needed unless you need to make a modification in the file changing password or similar, for example.
In this way our encrypted files will be much safer as a hacker couldn't know the encryption tool and the encryption algorithm used if he gains access our DropBox account.
Yesterday cryptonite for Android (ALPHA-0.7.0) added support for storing .encfs6.xml in an alternate location. If you use this feature in the Windows version of BoxCryptor you can use cryptonite while you are waiting for BoxCryptor for Android to add this feature.
Yes, this is show-stopper for me to use BoxCryptor on Android.
is the salt data in the endfs6.xml also encrypted?
This is already an option for the Windows version. I would like to see this as an option for the other versions as well. For me, specifically, I would like to see this on Android. The encfs6.xml file gives an attacker way too much information. It would be really nice to never send this file to the cloud. I can copy it to my phone manually. The password should be seen as the final roadblock protecting your files, not the first.