Encrypt destination file

rsync at raf.org rsync at raf.org
Tue Mar 10 03:00:59 UTC 2020


Rainy Days via rsync wrote:

> Hi,
> 
> My company have been using rsync to sync our file to a backup server (running rsync daemon), and now we would like to store them encrypted.
> I found some thread that discussed this issue but they are pretty old (about 10 years ago). So I send this question again and looking for any new approach.
> Is there any option or module for rsync to encrypt file on the destination?
> 
> Thanks a lot,
> Dat Le

Hi,

If the destination is Linux, you could maybe use
ecryptfs to encrypt a section of the file system.
Everything would still appear decrypted as long as the
ecryptfs file system is mounted. But if you wanted it
to look encrypted, then maybe you could mount it,
rsync, then unmount it. Then it would at least appear
encrypted most of the time (when rsync is not actively
in use). But this sounds dumb.

For rsync to do this automatically, it would need to be
able to automatically decrypt files in memory at the
destination in order to compare them to the source
version which means having access to the decryption key
at the destination. An option to run a process at the
other end to filter each file for comparison would be
needed. That would slow things down.

Another option is to have full disk encryption at the
destination. I know that this (and ecryptfs) still make
unencrypted files accessible while the host is running,
and so may not satisfy the needs of your threat model,
but it does seem to satisfy the encryption-at-rest
requirements of some governments for some purposes.

Another approach (assuming Linux and ecryptfs), is to
use ecryptfs at the source to store everything
encrypted, use a mountpoint for the ecryptfs file
system that isn't the same as the underlying directory
so that the encrypted versions of the files are
accessible (which they wouldn't be if the ecryptfs file
system were mounted over the top of the underlying
directory), and just rsync the underlying encrypted
directory rather than the overlaid ecryptfs file system
(where everything looks decrypted). This approach
doesn't require any changes to rsync and it doesn't
require the ability to decrypt the files on the
destination host. But it does require Linux and
ecryptfs at both the source and the destination.

cheers,
raf




More information about the rsync mailing list