Encrypt destination file

Dat Le tandatle1994 at hotmail.com
Tue Mar 10 11:32:55 UTC 2020

Thank you. I will investigate more about them.

Dat Le

From: rsync <rsync-bounces at lists.samba.org> on behalf of rsync--- via rsync <rsync at lists.samba.org>
Sent: Tuesday, March 10, 2020 3:00 AM
To: rsync at lists.samba.org <rsync at lists.samba.org>
Subject: Re: Encrypt destination file

Rainy Days via rsync wrote:

> Hi,
> My company have been using rsync to sync our file to a backup server (running rsync daemon), and now we would like to store them encrypted.
> I found some thread that discussed this issue but they are pretty old (about 10 years ago). So I send this question again and looking for any new approach.
> Is there any option or module for rsync to encrypt file on the destination?
> Thanks a lot,
> Dat Le


If the destination is Linux, you could maybe use
ecryptfs to encrypt a section of the file system.
Everything would still appear decrypted as long as the
ecryptfs file system is mounted. But if you wanted it
to look encrypted, then maybe you could mount it,
rsync, then unmount it. Then it would at least appear
encrypted most of the time (when rsync is not actively
in use). But this sounds dumb.

For rsync to do this automatically, it would need to be
able to automatically decrypt files in memory at the
destination in order to compare them to the source
version which means having access to the decryption key
at the destination. An option to run a process at the
other end to filter each file for comparison would be
needed. That would slow things down.

Another option is to have full disk encryption at the
destination. I know that this (and ecryptfs) still make
unencrypted files accessible while the host is running,
and so may not satisfy the needs of your threat model,
but it does seem to satisfy the encryption-at-rest
requirements of some governments for some purposes.

Another approach (assuming Linux and ecryptfs), is to
use ecryptfs at the source to store everything
encrypted, use a mountpoint for the ecryptfs file
system that isn't the same as the underlying directory
so that the encrypted versions of the files are
accessible (which they wouldn't be if the ecryptfs file
system were mounted over the top of the underlying
directory), and just rsync the underlying encrypted
directory rather than the overlaid ecryptfs file system
(where everything looks decrypted). This approach
doesn't require any changes to rsync and it doesn't
require the ability to decrypt the files on the
destination host. But it does require Linux and
ecryptfs at both the source and the destination.


Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20200310/2a83ee46/attachment.htm>

More information about the rsync mailing list