Non-decrypting Secret?

[ProdigySim]

Hey, I'm interested in trying to develop some sort of rudimentary encrypted backup system for myself using BT Sync. I'd like to host a Sync node for myself in the cloud--someplace where I can have better uptime, stability, and data redundancy than on any of my few client nodes. But, being security-minded, I don't see any reason to allow this node to decrypt my data.

Is there any way I can use BT Sync to create such a non-decrypting node?

If not, is decryption necessary to perform properly as a node in a BT Sync network? i.e. do I have to trust all of my nodes in order to use BT Sync?

[rdebath]

BTSync's encryption is transport encryption not filesystem encryption. All nodes must know the key.

To do an encrypted backup you might try encfs in --reverse mode.

[ProdigySim]

Thanks for the information, as well as your suggestion. I will probably use some sort of client-side encryption along the same lines.

The encfs --reverse sounds like a good solution for a one-way backup, but I'm curious as to how it will handle the "Sync" scenario--where changes may originate from an external node and must be replicated on the local (encrypted) filesystem.

[ChrisH]

Is there any way I can use BT Sync to create such a non-decrypting node?

Not yet, but this functionality has already been suggested several times.

[rdebath]

The encfs --reverse sounds like a good solution for a one-way backup, but I'm curious as to how it will handle the "Sync" scenario--where changes may originate from an external node and must be replicated on the local (encrypted) filesystem.

Not at all AIUI, the --reverse filesystem is read only.

But if the local filesystem is to be encrypted by encfs you should use encfs the right way up.

PS: I should probably elaborate on the problem with writing to encfs--reverse; it's not a problem with encfs, it's working properly and you can write a correctly encrypted file to the filesystem. It's a problem with BTSync in that it doesn't have a way of dumping it's temp files into some proper temp directory. For example to use this with rsync you need to tell it to put it's temp files outside the encfs-reverse filesystem with the "-T" option. Other tools have similar options, but with BTSync your only option is to use BTSync on one copy and use another sync tool to put the data through encfs-reverse. This obviously means that BTSync takes a LOT of temp space and will probably cause filename too long errors at some point.