Considerations for file encryption


I am trying to get my head around a clean and secure setup for my data store.
Currently I have NC running in Docker on a Raspi on Raspbian Jessie. There is no proper data directory yet, but I just bought the hardware.

My current plan is- have my clients store their files in NC and have the NC Server do regular backups on Amazon Cloud drive. As they now offer unlimited storage this seems a good idea. But obviously I don’t want to store them unencrypted neither on Amazon nor locally.

NC offer server side encryption but in my eyes this seems to be fairly easy to bypass. It may be that I don’t know enough about the mechanism, but AFAIK you can decrypt all files once you get your hands on the physical server. Also an overhead of 35% on filesize is not so appealing.

My second idea was to use EncFS to create a locked fuse file system that I would easily be able to back up on Amazon. But EncFS is only available in the insecure 1.7.4 for Rasbian in the Repo. and also seems to be a bitch to compile.

EcryptFS seems currently the way to go. But I need to provide the password on each reboot. Might be the only way without storing the secret locally, yet - is there maybe an Idea I didn’t come across yet?

On you local system, it’s not recommended to use encryption. You have a few options, but did you consider just to encrypt your backup? duplicate provides such an option, but you can as well mount the backup storage into your filesystem and use EncFS, use containers, …

I have the same problem, want to backup my data to Amazon but don’t want to encrypt my local data.

Is there an easy way to mount Amazon drive into local file system?

I would be affraid of FS encrypting abilities of RPi…

Did you have a look at duplicate? It can push encrypted backups to various servers (your local files are not encrypted). I found it a bit tricky to mount encrypted images via network devices, you should implement a solid error reporting into your backup script. And the RPi is not the most powerful device, so carefully check with memory consumption …

What do you mean with duplicate?

Sorry, it’s called duplicity: