Filed under: Uncategorized
Since a couple of months I use rsync to mirror the data on my server on a remote location. This works perfectly fine, the only issue is that the data is not really hidden for the other people who have access to the server or mirror. I finally found a solution: rsyncrypto. With this tool I can encrypt my files and then use rsync to transfer it using as less bandwidth as possible.
Because I couldn’t find a nice tutorial that I can use as a reference, I wrote one based on http://pwet.fr/man/linux/commandes/rsyncrypto, http://www.linux.com/feature/125322, http://blog.wuxinan.net/archives/86
To install rsyncrypto:
sudo apt-get install rsyncrypto
Using OpenSSL, create a certificate and private key:
openssl req -nodes -newkey rsa:1536 -x509 -keyout rckey.key -out rckey.crt
To encrypt files:
rsyncrypto -r --name-encrypt=filemap /tmp/srcdir /tmp/dstdir foodir.keys rckey.crt
This will result in a directory tree containing encrypted files. If you want to hide the file names as well, use the --name-encrypt=filemap with rsync as in the code example. This will garble the file names and directory structure. The file filemap will contain the mapping between the original file names and the garbled names.
To decrypt files
rsyncrypto -dr --name-encrypt=filemap /tmp/encrypted /tmp/decrypted foodir.keys rckey.key
Now I was wondering: I need the keys to decrypt the files, but what if I loose them? Or do I need to backup them as well?
There are two decryption options: cold decryption and warm decryption.
Cold decryption: rsyncrypto -d /tmp/encrypted/filemap /tmp/decrypted/filemap /tmp/decrypted/filemap-keys rckey.key
In this example, the encrypted filemap that is generated automatically is used to restore the original filemap. Secondly, the keys are retrieved.
Now proceed with warm decryption:
rsyncrypto -dr --name-encrypt /tmp/decrypted/filemap /tmp/encrypted /tmp/decrypted /tmp/decrypted/filemap-keys rckey.key
Et voila, we got our very secret stuff back.
So, to answer the question on what files are important to have: it is really important to keep a safe copy of rckey.key because it enable cold decryption in case you lose the file keys.
