Looking for an encrypted file container

I’m looking into ways to have a secure file container, that I can easily copy/sync between servers.
It would be nice if it has some kind of redundancy mechanism, storage space is not an issue.

I am using cryfs currently, but I didn’t copy it over the network too many times, maybe once. It stores the data in a lot of small files(blocks), the advantage of this approach is, that it’s fast to sync between devices. You only have to copy the changed blocks.
It has a big issue though, if a block that contains directory data is damaged, you lose that whole directory, if some other block gets damage, you just lose the file it contains.

So I’m looking for something, that has some tolerance or redundancy for data corruption, it doesn’t have to be fast or efficient.

Maybe I could do some backups of this sensitive data, but I don’t know how to do that without exposing the password/keys to some auto backup script. I could start a script and manually enter the password, but I would prefer something automatic for backup and really don’t know how other people do it, without storing some secret on the disk.

edit: maybe I just do two containers and do a script that syncs them before unmounting them, maybe also generate some par2 data

I don’t really have a suggestion, but I found your requirement description a bit confusing…

Why?
Are you trying to backup up decrypted data? (What’s the point of encryption in the first place then)

Wouldn’t you be backing up the encrypted file as-is, meaning you don’t need to either mount or decrypt them - therefore no key and no sudo pass needed?

Does anyone know if it would be inefficient or impractical or even unsafe to give syncthing root permissions to access an encrypted directory on paired devices?

Maybe this would be an easy solution for the OP?

Of course, you’d also password protect syncthing.

You are right I could just backup the encrypted files, with something like borg or restic.

I don’t think it’s a good idea to leave the container open all the time for syncthing. You should only sync the encrypted block files anyway. Especially with cryfs, the description says that it’s not a good idea to have it open by two different instances.

If you want to access the files on something like a phone, you should write a script that you start over ssh, it should mount the container then start syncthing, or you can access files without syncthing too over ssh. I saw an app that can access files through ssh. It can be simple enough, maybe you only need to enter your password in the command line.

Okay, I see.

For me, encrypting files isn’t so important as I don’t have any confidential or work files that need it. Was just seeing if this would be a solution for you (and for myself in the future) that would be easy to implement.

I’m not familiar with the tools you’ve listed, but your setup (“It stores the data in a lot of small files(blocks)”) sounds ideal for some system that supports differential version control of binary data for efficient use of storage space.

restic for example (from a quick search) mentions:

  • effectively, only transferring the parts that actually changed in the files you back up

Not sure about borg.

Just though I’ll mention the feature in case you wanna take advantage of it for efficient storage space usage :wink:
Best of luck!

1 Like

I have a few cheap VPS-es but I don’t trust the providers 100%, better safe than sorry.
I have some keys, some passwords, some app projects and I just don’t want to lose them and copy it to some random storage provider, who knows how safe it is. Tried veracrypt with google drive and dropbox, they just messed it up in a few days. I don’t have raid in my PCs, so I’m just preparing for the event when the nvme drive dies or catches fire.

Yeah, trusting providers is a gamble we all take.

For me, it’s a combination of syncthing and resilio sync for syncing files (with versioning) between devices, with three external drives (2 SSDs, 1 HDD), and my cloud provider is filen sync.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.