Mr Fethersmith

Deploy and forget? Resilio distributed

Recommended Posts

Hello there,

I started using Resilio for my personal files. In order to make my files better availbale by distributing the load and making the system more fail safe, I wanted to set up "a few" (maybe just 2 or 3) raspberry pis each with a HDD at friends and family.

And since I would place very personal files at peoples homes over which I don't have much control, I wondered if there is a way of installing a linux distro (or freebsd) that would encrypt files on write (even non-encrypted resilio folders).

Because of course my sensitive files are in encrypted resilio folders, but other folders still contain files that COULD be sensitive in some context. And if my mom would carelessly through away a hdd, I would be ensured that nothing leaks.

 

So my question is: Does someone have experience setting up resilio with a encrypt-on-write linux distro so that one can "deploy and forget" resilio instances?

Share this post


Link to post
Share on other sites

The biggest problem with your idea is that sync != backup. While you can certainly use Resilio Sync, you'll need something else at the backup locations too.

Quote

if there is a way of installing a linux distro (or freebsd) that would encrypt files on write (even non-encrypted resilio folders).

Not necessary. All you need is whole disk (or volume) encryption on the target device. This will render the entire device unreadable without your credentials. It's essential that you do this, because your friends and family are legally responsible for any data physically located in their homes. This means that if the data is readable, you open them to legal risks.

Quote

one can "deploy and forget" resilio instances?

No computing system is 100% deploy and forget. Also, I'm not so sure about Pis and encrypted disk/volume support. A better option might be lightly used enterprise PCs such as any of these that fit these specs. Then you could install either Linux with disk/volume encryption +

unattended upgrades

or Windows 10 with Bitlocker (you'll need a PC with a TPM for this) and automatic updates enabled. Throw in TeamViewer and you can manage them remotely as needed.

Share this post


Link to post
Share on other sites

Thank you @jdrch that was a very fine and helpful solution.

I know it is not a backup, I would do this from my little server setup. (I already was doing this with my seafile setup with which I want to replace this).

Okay good point about just using full disk encryption, gotta finally look into LUKS I guess. But even then, the disk is only en-or decrypted after mounting/unmounting, right? So a running system has decrypted its disk already and the files are thus accesible. It is not encrypt-on-write, is it? (Maybe that does not even exist, sorry for my newbieness)

Share this post


Link to post
Share on other sites

Yw!

Seafile is worse than Resilio Sync in every way IMO, but use what works best for you.

8 hours ago, Mr Fethersmith said:

So a running system has decrypted its disk already and the files are thus accesible. It is not encrypt-on-write, is it? (Maybe that does not even exist, sorry for my newbieness)

Encrypted data is impossible to interpret without decryption. This means that all encrypted files must be decrypted before being read. With those 2 facts in mind, here's how full-disk encryption on computers works:

  1. The entire disk is encrypted, including the operating system (OS)
  2. At some point in the boot process, the bootloader (a small operating system that loads the requested OS into RAM and then hands off operation of the machine to it) realizes the disk the OS is on is encrypted, and requests the encryption key so it can start the OS
  3. The encryption key is provided in one of multiple ways depending on your config. We'll come back to this point later
  4. Now, this is the crucial part: the encryption key does not decrypt the entire disk at once. Rather, it decrypts data that is read from the disk in real-time and in memory so that the CPU can perform operations on it. All the data on the disk is still encrypted
  5. Similarly, all data the OS writes to disk is encrypted in memory before it's written to the disk. This includes data synced to Resilio folders on that disk.

In other words, everything on the disk is always encrypted, regardless of machine state.

Now, back to point 3. The key can be stored:

  1. internally on the computer itself, typically in a hardware component that we'll call an enclave for the sake of convenience
  2. externally. In this case, the key is provided by the user in the form of a password, biometrics, smart card, USB key, FIDO key, etc.

Internal

Pros:

  1. Convenient: machine can be restarted and booted up without the user being present. This is good for unattended updates and patching

Cons:

  1. Because the encryption key is stored onboard, eventually at some point someone will discover an unpatchable vulnerability that can be used to extract it. You can avoid this by upgrading to a newer machine (security isn't inexpensive.)
  2. Enclave support in non-Windows OSes is hit or miss

Windows and macOS have the best implementations of this.

External

Pros:

  1. Since the key is stored elsewhere, it's can be more difficult to crack than internal methods, especially if you use a FIDO 2FA token, for example

Cons:

  1. Key has to be manually provided, which means OS can't automatically complete reboot and remote reboots are (mostly) impossible. OS can't effectively (kernel) patch itself There are ways around this but they're not inexpensive.

Most OSes are on approximately equal footing here. It's gonna be easier on Windows and macOS but still possible otherwise.

Now to something I forgot to talk about previously: the actual backup part of your strategy.

You'll need to make backups of the synced files on the target devices, preferably to a separate disk. While that disk may be encrypted, it doesn't necessarily have to be, because Veeam Agent Free (Windows) and Restic (everything else) both allow encrypted backups.

Another way

Another way around this is to use Restic or Duplicati on one of (you only need one because they're all synced) your local machines + OpenVPN or Wireguard from the remote backup targets. Have the backup targets all connect to your LAN automatically via OpenVPN or Wireguard, then use Restic (which encrypts backups by default) or Duplicati (same) to push backups to the remote targets. Since the backups are encrypted with a locally stored key, you don't have to encrypt the targets, and your backups are both secure and unreadable by anyone without the password. This also eliminates the need for an extra disk at the target. You'll need to setup dynamic DNS on your local LAN so your remote targets always connect to the same URL. Set up unattended-upgrades on the remote Pis so they can keep themselves secure and updated.

Much of this method is outside the scope of this forum as it doesn't involve Resilio Sync; I'd ask at r/OpenVPN, r/homelab, r/datahoarder, &/or r/raspberry_pi on Reddit if you have further questions.

______________________________________________________

I know this is a lot to absorb at once, so don't be disappointed or overwhelmed if you don't understand it right away. None of this is easy. If you want to use Raspberry Pis, the Another way method might be the easiest, since Pis weren't designed with device security in mind and I don't think they support disk encryption very well. If you want to the targets themselves to be disk-encrypted then you need recent x86-64 PCs.

Share this post


Link to post
Share on other sites

Thank you @jdrch that was a very fine explainer!

That comment against seafile was unecessary though. It is a completely different thing and works very well. And having the possibility for a webdav access to your folders if you want to sync with apps on tablets, phones, etc. is a killer feature. Which I am missing here.

Share this post


Link to post
Share on other sites

Seafile has a completely different concept, it is not peer-to-peer based, but server-oriented. It works exactly like ownCloud or nextCloud and is simply addressed externally via an http or https address.

I use ownCloud parallel to Resilio because I am often on restrictive company networks, from which it is usually not possible to contact other Resilio peers. The http/https connection has great advantages.

At this point, Syncthing has expanded the features as a P2P software alternative so that a connection is also possible via http/https or ports 80/443. That is why I also work with Syncthing in parallel and sometimes have links with Resilio. I have not used ownCloud or nextCloud for some time.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.