I recently created several test encrypted folders on multiple hosts, with and without firewalls enabled, all on a local lan with many other existing shared folders working and finding peers just fine on resilio sync. The encrypted folders failed to ever find a peer when sharing the encrypted key, but would find the peers just fine with the read only and read/write keys.
For security, I had set up the hosts with ONLY DHE-PSK-AES256-GCM-SHA384 as a tunnel cipher in the power user preferences: tunnel_ciphers settings, as I do not require (nor want the option of) falling back to older clients or older protocols. Resilio says it uses this AES256 cipher by default on Resilio Connect v2.7.2 or newer clients anyway.
What I found is that I had to re-enable the SYNC-SRP (Secure Remote Password) protocol in order for the hosts to find any peers. I'm wondering if this is a bug, or because the files aren't encrypted over the tunnel (because they're already encrypted as files) when using the encrypted folders feature. If that is the case, and SYNC-SRP is enough for these files, then I don't think I like the behavior of globally allowing SYNC-SRP as a fallback available to AES256. I'd much prefer the added CPU load of double-encryption, if that's what would indeed happen if the tunnel cipher was AES256 while sharing encrypted folders.
Can anyone from Resilio comment on this? The official security hardening guide from Resilio ("Best practices: maxing out Resilio Connect security") recommends only allowing DHE-PSK-AES256-GCM-SHA384 as a tunnel cipher, so I'm assuming there's a good reason for that, and would prefer not to unharden the whole sync system just to enable encrypted folders.
Thanks in advance for any help!
~Z
I recently created several test encrypted folders on multiple hosts, with and without firewalls enabled, all on a local lan with many other existing shared folders working and finding peers just fine on resilio sync. The encrypted folders failed to ever find a peer when sharing the encrypted key, but would find the peers just fine with the read only and read/write keys. For security, I had set up the hosts with ONLY DHE-PSK-AES256-GCM-SHA384 as a tunnel cipher in the power user preferences: tunnel_ciphers settings, as I do not require (nor want the option of) falling back to older clients or older protocols. Resilio says it uses this AES256 cipher by default on Resilio Connect v2.7.2 or newer clients anyway. What I found is that I had to re-enable the SYNC-SRP (Secure Remote Password) protocol in order for the hosts to find any peers. I'm wondering if this is a bug, or because the files aren't encrypted over the tunnel (because they're already encrypted as files) when using the encrypted folders feature. If that is the case, and SYNC-SRP is enough for these files, then I don't think I like the behavior of globally allowing SYNC-SRP as a fallback available to AES256. I'd much prefer the added CPU load of double-encryption, if that's what would indeed happen if the tunnel cipher was AES256 while sharing encrypted folders. Can anyone from Resilio comment on this? The official security hardening guide from Resilio ("Best practices: maxing out Resilio Connect security") recommends only allowing DHE-PSK-AES256-GCM-SHA384 as a tunnel cipher, so I'm assuming there's a good reason for that, and would prefer not to unharden the whole sync system just to enable encrypted folders. Thanks in advance for any help! ~Z