[zarvox]

I'm an engineer at AeroFS, and yep, we use scrypt. The client applies scrypt with a per-user salt to the S3 encryption passphrase you enter at install-time, which gives a 512-bit key that the client stores. This is not quite the AES key itself - we apply PBKDF2 an additional time to this stored value to derive the actual 256-bit AES key (it fit more easily into our existing codebase...), but it retains the same hardness of derivation that scrypt provides (unless the stored key is stolen, as is the case in any system with stored keys).

In this manner, the AeroFS client can (and does) access the data stored on S3 directly, but if you were to lose the machine that runs the client (but still know the password you used at setup), you can still decrypt those files by deriving the same key on a different machine.

Colin Percival's writings ([1] in particular) were very helpful in picking the appropriate set of cryptographic primitives to use. Thanks, cperciva! :D

[1] - http://www.daemonology.net/blog/2009-06-11-cryptographic-rig...

(edited to add that I work at AeroFS)