willjasen

Sync In The Cloud

Recommended Posts

In the marketing of BitTorrent Sync, I detect a shyness away from the cloud, but if Sync is as secure as it claims, utilizing the cloud with Sync shouldn't be a security issue and should provide extra benefits.

Enter rainstash, an open source Amazon CloudFormation template to deploy an instance of the latest version of Sync in the Amazon cloud with very little effort. With security in mind, only necessary network services are made available, web traffic is forced to be https (though the self signed certificate doesn't validate, but that's expected), and a separate disk volume that is encrypted with cryptsetup is used to store Sync data.

The upsides? Deploy one instance in the east region and one in the west region for better redundancy, or better yet, deploy five in each and two in Ireland! (I don't know why Ireland, the point is, it's easy to do!)

The downsides? It still costs to run an Amazon instance, and the cheapest currently - t2.micro - plus data transfer costs is still around $10 to $15 per month per instance running 24/7 for an average use case.

Please feel free to provide questions, comments, and improvements!

https://github.com/willjasen/rainstash

Share this post


Link to post
Share on other sites

Hey willjasen,

 

Cool project!  You're right about the cloud "shyness" - the entire premise of Sync is that your data moves from device to device without a required stop in the cloud, thereby eliminating a third location where an attacker could potentially compromise your data (while also eliminating the bandwidth hit as well as cost).  With cloud storage, the security of Sync wouldn't really be the issue - the introduction of 3rd party storage would now be the weakest link.  I'm not saying that AWS is weak or easy to compromise by any stroke of imagination, just that now your data sits somewhere else - a place with traditional login credentials...Some food for thought :)

 

That said, I'm thrilled to see the work you've done on rainstash - this looks like a great tool for folks looking to use Sync with AWS - looking forward to seeing your progress on rainstash!

 

aaron

Share this post


Link to post
Share on other sites

All communication with a rainstash instance is encrypted. Of course, Sync itself communicates securely. The only other processes accessible are SSH and HTTPS, both of which are encrypted. SSH uses an industry minimum standard 2048-bit key per how Amazon creates key pairs. The Sync web interface has been configured to use a 4096-bit key for extra security. It is also recommended that SSH and HTTPS is only available from a trusted IP, minimizing potential abuses.

 

For storage, rainstash uses cryptsetup to create a fully encrypted volume on /dev/xvdf, where the Sync app, synced folders, and Sync's configuration, including the HTTPS public/private key pair, resides so that data is never stored on Amazon’s storage in the clear.

 

The only security issue that I can think as of yet is that the disk encryption password resides in clear text in the RAM allocated to the instance upon its creation and while it is running. It may be possible to retrieve the key while the instance is running through really complicated means like a cold boot attack, but I see the chance in this case as extremely slim - see http://en.wikipedia.org/wiki/Cold_boot_attack

 

As an aside, I’m glad to hear someone finds rainstash interesting and potentially useful!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.