Dropbox clone with git, ssh, EncFS and rsync.net
We created a lot of half-working Truecrypt/Filevault/encfs schemes and fiddled with a lot of --partial --progress --whatever switches to rsync, but eventually we just told people to use duplicity[1][2] and call it a day.
Then Mr. Raymii came along and dropped this in our lap:
https://raymii.org/s/articles/Set_up_your_own_truly_secure_encrypted_shared_storage_aka_Dropbox_clone.html
The tl;dr there is:
"This article describes my truly secure, encrypted file synchronization service. It used EncFS and dvcs-autosync which lets me share only the encrypted data and mount that locally to get the plaintext."
... and we couldn't be happier. Finally we (and anyone using rsync.net, or any ssh host with git on it) have an elegant way to sidestep the issues of trust and authority[3] over remote data on systems you don't control.
Enjoy! [4]
[1] http://duplicity.nongnu.org/
[2] ... and it's still a very good solution.
[3] http://www.rsync.net/resources/notices/canary.txt
[4] HN discount is 10c/GB/mo. Just email us.
29 comments
[ 3.0 ms ] story [ 82.6 ms ] threadhttp://members.ferrara.linux.it/freddy77/encfs.html
We have never used this and cannot vouch for it in any way, but there it is ...
31% off for life - 24*0.69/12=1.38
Enjoy!
Edit: Not to mention the other uses I get out of my VPS - voice chat server, VPN tunneling for my Roku (In Canada), game server, etc. Ofcourse, if you are storing important information, I wouldn't suggest loading up your VPS with services increasing risk of hacking.
To be a Tahoe-LAFS "target" you do need to be running their code on the server side ... and it's python.
We make a point to keep our environment as simple and sanitized as possible, which implies having no interpretors, so at this time you can't use rsync.net as a Tahoe-LAFS target.
BUT! We've always been very excited about Tahoe-LAFS and are well acquainted with Zooko and his team, etc., and so we are experimenting with a frozen[1] implementation of it that we can place into our environment as a binary executable[2].
The two solutions aren't really that related, as Tahoe-LAFS (sort of) implies that rsync.net would be just one of many (perhaps ten) remote containers out there, whereas this solution is targeted to just one remote host... but since you asked ...
[1] http://cx-freeze.sourceforge.net/
[2] We already do this with rdiff-backup, which is how we are able to support that ...
Of course, you could just use Tahoe-lafs to store everything on one or two nodes when they're reliable and durable, but then why not just use gpg or encfs, which don't require custom clients or gateway/introducer nodes?
[1] http://git-annex.branchable.com/special_remotes/
http://git-annex.branchable.com/devblog/day_22__gcrypt_on_rs...
http://git-annex.branchable.com/forum/making_good_use_of_my_...
http://git-annex.branchable.com/special_remotes/rsync/
That is, say you change one line in 1 MB text file. If you rsync plain text, it will transfer a handful of bytes. If you encrypt and then rsync encrypted text, then presumably a lot more bytes will be scrambled and you will have a bigger diff to transfer. I guess it depends on the block size.
If the resulting file is truly random vs. the last time you mounted it, then you (of course) need to retransmit everything.
However, imagine that every time you closed your TC volume or unmounted filevault it had to rewrite an entirely new multi-GB file ? Of course that would take forever and would be difficult to use.
So most encryption image software organizes the image internally such that new data written only affects portions of the file. And then, in theory, rsync with options like --partial --inplace --whatever will then transfer it efficiently.
BUT, our experience is this seldom works properly. The amount of internally changed data changes dramatically form usage to usage, and often has very little to do with the amount of actual data you changed. We just never got it to work well, consistently.
How does one consistently store encrypted data using rsync.net as a backend, whilst maintaining the benefits of the rsync protocol?
This seems to rule out the benefits of using rsync w/ encrypted files.
Is there something I'm missing?
How is the best way to get this done, security considerations as against bandwidth?
[1] https://en.wikipedia.org/wiki/Watermarking_attack [2] https://en.wikipedia.org/wiki/Stream_cipher_attack
http://grigio.org/diy_your_dropbox_backup_zfs_sshfs_and_rsyn...
List encrypted FSL http://en.wikipedia.org/wiki/List_of_cryptographic_file_syst...
I just use SSH or stunnel w/ a SQL database with procedures built in.
What?! No don't do it! If you lost your .encfs6.xml file pretty much you lost everything. You can't decode your files back. Of course you don't have to sync it, you can back it up by other means. But you can't just remove it.