How to hide timestamps on encrypted data files with ecryptfs?

Question

I was investigating using ecryptfs to encrypt a single directory in my computer, but one of the things I noticed was that it leaks timestamps operations on unencrypted files in the lower encrypted data files, as also mentioned at: conceal home folder completely - is ecryptfs the right choice? which could considerably help attackers in identifying the files.

Is there a way to hide those timestamps, e.g. by using a fixed timestamp for every single data file? I understand that the file sizes can also help the attacker, but that I can live with (hmmm or can I? Can the attacker uniquely determine the exact size of an encrypted file from an unencrypted version of it? For another question I guess).

You can reproduce this with:

export ECRYPTFS_DIR="$HOME/ecryptfs"
export ECRYPTFS_DATA_DIR="$HOME/.ecryptfs-data"
sudo mount -t ecryptfs 

      -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes 

      "$ECRYPTFS_DATA_DIR" 

      "$ECRYPTFS_DIR"
echo AAAA > ~/ecryptfs/aaaa
echo BBBB > ~/ecryptfs/bbbb
dd if=/dev/zero bs=1k count=1k > ~/ecryptfs/zzzz
sudo umount "$ECRYPTFS_DIR"
ls -l "$ECRYPTFS_DATA_DIR"

which will show the correct timestamp on those files.

Tested on Ubuntu 20.04, Linux kernel 5.4.

Answer 1

No, you can't hide timestamps. If you want to hide metadata such as timestamps and file sizes (which are more likely to breach privacy than time stamps), you need whole-disk (or whole-partition) encryption.

There may be a way to force the mtime (content modification time) to be different (actually, you can do that manually with touch), but there's no way to hide the ctime (inode change time). The ctime is the last time the file was modified in some way.