jdrch

Members
  • Content Count

    150
  • Joined

  • Last visited

  • Days Won

    2

About jdrch

  • Rank
    Advanced Member

Profile Information

  • Gender
    Male
  • Location
    Quad Cities
  • Interests
    Everything.

Recent Profile Visitors

673 profile views
  1. @Mr Fethersmith Yw! @Andy+ @Mr Fethersmith My apologies for the broad brushed statement. I guess I just don't have a use case for any of those right now. I'm glad they work for you
  2. Yw! Seafile is worse than Resilio Sync in every way IMO, but use what works best for you. Encrypted data is impossible to interpret without decryption. This means that all encrypted files must be decrypted before being read. With those 2 facts in mind, here's how full-disk encryption on computers works: The entire disk is encrypted, including the operating system (OS) At some point in the boot process, the bootloader (a small operating system that loads the requested OS into RAM and then hands off operation of the machine to it) realizes the disk the OS is on is encrypted, and requests the encryption key so it can start the OS The encryption key is provided in one of multiple ways depending on your config. We'll come back to this point later Now, this is the crucial part: the encryption key does not decrypt the entire disk at once. Rather, it decrypts data that is read from the disk in real-time and in memory so that the CPU can perform operations on it. All the data on the disk is still encrypted Similarly, all data the OS writes to disk is encrypted in memory before it's written to the disk. This includes data synced to Resilio folders on that disk. In other words, everything on the disk is always encrypted, regardless of machine state. Now, back to point 3. The key can be stored: internally on the computer itself, typically in a hardware component that we'll call an enclave for the sake of convenience externally. In this case, the key is provided by the user in the form of a password, biometrics, smart card, USB key, FIDO key, etc. Internal Pros: Convenient: machine can be restarted and booted up without the user being present. This is good for unattended updates and patching Cons: Because the encryption key is stored onboard, eventually at some point someone will discover an unpatchable vulnerability that can be used to extract it. You can avoid this by upgrading to a newer machine (security isn't inexpensive.) Enclave support in non-Windows OSes is hit or miss Windows and macOS have the best implementations of this. External Pros: Since the key is stored elsewhere, it's can be more difficult to crack than internal methods, especially if you use a FIDO 2FA token, for example Cons: Key has to be manually provided, which means OS can't automatically complete reboot and remote reboots are (mostly) impossible. OS can't effectively (kernel) patch itself There are ways around this but they're not inexpensive. Most OSes are on approximately equal footing here. It's gonna be easier on Windows and macOS but still possible otherwise. Now to something I forgot to talk about previously: the actual backup part of your strategy. You'll need to make backups of the synced files on the target devices, preferably to a separate disk. While that disk may be encrypted, it doesn't necessarily have to be, because Veeam Agent Free (Windows) and Restic (everything else) both allow encrypted backups. Another way Another way around this is to use Restic or Duplicati on one of (you only need one because they're all synced) your local machines + OpenVPN or Wireguard from the remote backup targets. Have the backup targets all connect to your LAN automatically via OpenVPN or Wireguard, then use Restic (which encrypts backups by default) or Duplicati (same) to push backups to the remote targets. Since the backups are encrypted with a locally stored key, you don't have to encrypt the targets, and your backups are both secure and unreadable by anyone without the password. This also eliminates the need for an extra disk at the target. You'll need to setup dynamic DNS on your local LAN so your remote targets always connect to the same URL. Set up unattended-upgrades on the remote Pis so they can keep themselves secure and updated. Much of this method is outside the scope of this forum as it doesn't involve Resilio Sync; I'd ask at r/OpenVPN, r/homelab, r/datahoarder, &/or r/raspberry_pi on Reddit if you have further questions. ______________________________________________________ I know this is a lot to absorb at once, so don't be disappointed or overwhelmed if you don't understand it right away. None of this is easy. If you want to use Raspberry Pis, the Another way method might be the easiest, since Pis weren't designed with device security in mind and I don't think they support disk encryption very well. If you want to the targets themselves to be disk-encrypted then you need recent x86-64 PCs.
  3. The biggest problem with your idea is that sync != backup. While you can certainly use Resilio Sync, you'll need something else at the backup locations too. Not necessary. All you need is whole disk (or volume) encryption on the target device. This will render the entire device unreadable without your credentials. It's essential that you do this, because your friends and family are legally responsible for any data physically located in their homes. This means that if the data is readable, you open them to legal risks. No computing system is 100% deploy and forget. Also, I'm not so sure about Pis and encrypted disk/volume support. A better option might be lightly used enterprise PCs such as any of these that fit these specs. Then you could install either Linux with disk/volume encryption + unattended upgrades or Windows 10 with Bitlocker (you'll need a PC with a TPM for this) and automatic updates enabled. Throw in TeamViewer and you can manage them remotely as needed.
  4. It's standard Unix(-like) practice not to, but TBH I haven't seen any major case of compromised root process KOing a Unix(-like) OS in a very long time. The biggest reason not to, IMO, is that rslsync as root makes the user's own synced files read-only to them, which is problematic.
  5. I wrote a simple guide on how to do the above. It works on FuryBSD too and can also be used to switch an installation from being run under root to being run under user without resinstalling. For distributions just as GhostBSD that have an rslsync package available in their repos: the only thing in the instructions that might change is you install & update from the repo using your package manager instead of manually from the archive. Thanks @Alex. for the assistance.
  6. Good news: it worked! Bad news: I missed a step. You also have to change ownership and permissions on the .sync folder copy so your user account can read it and its contents. Otherwise you'll get a permissions error.
  7. I'm currently running Resilio Sync as root on FreeBSD (don't be put off by the OS; I suspect anything that works on Linux will work on FreeBSD too as long as the appropriate equivalent commands are used.) I'd like to get it running under my username instead of root. How do I do this without having to set up Sync from scratch again? I suspect I'd have to move the .sync folder from its current location in /bin to somewhere it can be read without superuser permissions, e.g. usr/home/myusername/ , and then I'd also have to change permissions on the files and folders that synced as root. I'd probably also have to create a .conf file, save it somewhere it can be read without root, and use it to point to the .sync folder's new location. Does that sound right? Any other ideas?
  8. Probably is. Usually all you have to do is manually change the version references in it. Updated to the latest build across 5 Windows 10 machines with no issues, BTW. Great job, devs.
  9. New build dropped today, everyone: Thanks to the Resilio team
  10. So I recall you posting about this and didn't have anything to offer since I don't use macOS. But while evaluating backup solutions for FreeBSD, I did come across this support note from urBackup (emphasis mine): So basically it seems macOS has crippled root filesystem access. One thing you could try is creating a group in macOS, applying read, write, and execute permissions for that group to the folders Resilio Sync touches, and then adding the users whose directories Sync has access to, as well as the rslsync user, to that group. I have no idea how that would work, and *nix group permissions tend to be screwy, but there's that. Let us know how it goes. BTW I suppose the rest of us will be facing a similar problem when Scoped Storage becomes mandatory in Android 11. Just about every app that touches the Android filesystem will have to be updated for it.
  11. The forum literally got updated since this thread started. That said, I don't think they have a lot of manpower. Headcount is pretty small for a product that effectively competes with Dropbox, OneDrive, etc. and has far wider platform support. I think the reason I'm not too worried is my Pro license is lifetime free because I helped beta test during the app -> service transition back in the day. If I were a paying customer hell yeah I'd be mad at service tickets not being replied to. So I can certainly see where some of you are coming from.
  12. I mean, of course. As I said in my 2nd reply on this thread, it's super weird to call a project with a software release within the last calendar year dead without an official announcement. But some folks enjoy panicking 😛 🤷‍♂️
  13. ... they have 31 employees listed on LinkedIn, including developers. I'm not sure what's going on, either, but if we assume whatever has resulted in the current situation started when forum mods stopped posting here months ago, then it's reasonable to assume all the developers should have been gone by now. They aren't. Well, I just noticed a "Quote selection" feature and the ability to move quotes on the forum that I haven't seen previously, so it looks like maintenance is still being done. The worst case scenario would be Pro and above licenses suddenly failing to validate, thereby crippling the product overnight (even if technically it's still functional.) Personally I'd have no choice but to move to SyncThing 🤮🤮🤮 at that point. I kinda doubt that happens without warning, though. If it actually is abandoned but the licenses keep working; then it'll just keep working until underlying OS changes prevent it from doing so. For example, if they don't update the app to support Scoped Storage (mandatory in Android R) then it'll definitely stop working on Android. In fact, if you use Android I'd call Scoped Storage the biggest threat to P2P workflows. Bigger than Resilio Sync going under.
  14. RomanZ was an actual employee? I always thought the forum folks were just mods with insider connections (such as the ability to view tickets.) Never got the impression they were internal employees. My bad.