willjasen Posted January 1, 2015 Report Share Posted January 1, 2015 In the marketing of BitTorrent Sync, I detect a shyness away from the cloud, but if Sync is as secure as it claims, utilizing the cloud with Sync shouldn't be a security issue and should provide extra benefits.Enter rainstash, an open source Amazon CloudFormation template to deploy an instance of the latest version of Sync in the Amazon cloud with very little effort. With security in mind, only necessary network services are made available, web traffic is forced to be https (though the self signed certificate doesn't validate, but that's expected), and a separate disk volume that is encrypted with cryptsetup is used to store Sync data.The upsides? Deploy one instance in the east region and one in the west region for better redundancy, or better yet, deploy five in each and two in Ireland! (I don't know why Ireland, the point is, it's easy to do!)The downsides? It still costs to run an Amazon instance, and the cheapest currently - t2.micro - plus data transfer costs is still around $10 to $15 per month per instance running 24/7 for an average use case.Please feel free to provide questions, comments, and improvements!https://github.com/willjasen/rainstash Quote Link to comment Share on other sites More sharing options...
aaronliao Posted January 2, 2015 Report Share Posted January 2, 2015 Hey willjasen, Cool project! You're right about the cloud "shyness" - the entire premise of Sync is that your data moves from device to device without a required stop in the cloud, thereby eliminating a third location where an attacker could potentially compromise your data (while also eliminating the bandwidth hit as well as cost). With cloud storage, the security of Sync wouldn't really be the issue - the introduction of 3rd party storage would now be the weakest link. I'm not saying that AWS is weak or easy to compromise by any stroke of imagination, just that now your data sits somewhere else - a place with traditional login credentials...Some food for thought That said, I'm thrilled to see the work you've done on rainstash - this looks like a great tool for folks looking to use Sync with AWS - looking forward to seeing your progress on rainstash! aaron Quote Link to comment Share on other sites More sharing options...
willjasen Posted January 3, 2015 Author Report Share Posted January 3, 2015 All communication with a rainstash instance is encrypted. Of course, Sync itself communicates securely. The only other processes accessible are SSH and HTTPS, both of which are encrypted. SSH uses an industry minimum standard 2048-bit key per how Amazon creates key pairs. The Sync web interface has been configured to use a 4096-bit key for extra security. It is also recommended that SSH and HTTPS is only available from a trusted IP, minimizing potential abuses. For storage, rainstash uses cryptsetup to create a fully encrypted volume on /dev/xvdf, where the Sync app, synced folders, and Sync's configuration, including the HTTPS public/private key pair, resides so that data is never stored on Amazon’s storage in the clear. The only security issue that I can think as of yet is that the disk encryption password resides in clear text in the RAM allocated to the instance upon its creation and while it is running. It may be possible to retrieve the key while the instance is running through really complicated means like a cold boot attack, but I see the chance in this case as extremely slim - see http://en.wikipedia.org/wiki/Cold_boot_attack As an aside, I’m glad to hear someone finds rainstash interesting and potentially useful! Quote Link to comment Share on other sites More sharing options...
willjasen Posted March 3, 2020 Author Report Share Posted March 3, 2020 It's been a while since I've posted, but I believe the latest updates I've made to rainstash makes it as secure as it can be. The template now only accepts encrypted folder keys by default, as well still stores this data on an encrypted volume. Still free to good homes! https://github.com/willjasen/rainstash Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.