TL;DR
This article describes my truly secure, encrypted file synchronization service. It used EncFS and dvcs-autosync which lets me share only the encrypted data and mount that locally to get the plaintext. It works on OS X, Linux and ARM linux. This article has setup instructions for all those platforms.
Diagram
Overview of the solution we're building.
My data is in an EncFS encrypted folder. The unencrypted contents are available after unlocking the folder. The encrypted files are synced to an ssh server an to a few other machines and devices using dvcs-autosync. The enryption happens on my machines before the data leaves the to internet.
Preface
Recently I've had to stop using SpiderOak for my file backup and syncronization across machines. The main reason being that there is no ARM version of SpiderOak and the RAM usage was getting out of hand for me. And there still is no open source client, sadly. However, my time with SpiderOak was good, I've paid for it and most of the time it just works fine.
But since I recently bought an ARM Laptop on which I also need my files, it became time to switch to another secure shared file storage. I have a few demands for such a service:
- It should support synchronization to multiple (more than 2) devices.
- It has to run on both OS X and any reasonable recent Linux version.
- It should encrypt files on my machine(s) before going to the internet.
- It has to be easy to add or remove storage nodes (like vps servers).
- It has to be open source.
- It should run on both x86 and ARM (debian armhf) (Chromebook ARM, Raspberry Pi).
Then all current commercial services drop off, including SpiderOak, Bittorrent Sync and git-annex. This resulted in a clever combination of EncFS and dvcs-autosync. Because, in this day and age, you cannot trust any "cloud" provider with your unencrypted data. (And you can only trust those who say they do it securly when they release there source code, wink wink Wuala/Spideroak).
Overview
I'll describe the steps and requirements needed to set this up first. Then we get started with the setup. First we'll set up the server. Then the first Linux client. If needed, steps are provided for adding other Linux clients. Then instructions for OS X are provided. It is a little long, but if you want privacy and security a one time investment is required.
Requirements
- Linux machine (With python 2.6+, tested on Debian 7 armhf and Ubuntu 12.04)
- VPS/External ssh server
Not mandatory:
- OS X machine (iMac, Macbook) with python 2.6+ (Included in Lion and above), git, xcode, command line tools for xcode and homebrew.
Steps
Prepare the SSH/git server
Prepare the Linux client
- Install EncFS
- Creating the secure EncFS folder
- Install dvcs-autosync
- Create an XMPP account
- Set up dvcs-autosync
- Special steps for an ARM Chromebook
Set up another Linux client
Prepare the OS X client
- Install MacFUSE
- Install EncFS
- Get the secure folder
- Install dvcs-autosync
- Set up dvcs-autosync
So, lets get started. In about half an hour you have your own secure encrypted file synchronization service.
Set up the SSH server
As said, you'll need an SSH server which will act as your central data repository. Here your encrypted data will reside, and clients push and pull changes to and from here. If you have a few laptops which are not on all the time, this server makes sure all the clients have the most recent data.
If you don't have a VPS, InceptionHosting has good VPS servers for a nice price. (Affiliation link).
I won't cover the installation and setup of the server. SSH, a user account and a passwordless SSH key is all you need. Google can help you with the setup of that.
First install git:
apt-get install git
Now, go to your home folder and create the "repository":
cd ~
git init --bare autosync.git
That's it. Now we are going to set up the clients.