On the fly encryption in jail like encfs --reverse

[g3rt]

I want to be able to easily upload/sync data stored unencrypted locally to offsite backup providers, syncing services etc in encrypted form. I don't want the files encrypted on disk locally, or to have them double-encrypted if the disks are encrypted using GELI. The main reason is compatibility with other devices accessing the files, but the performance overhead on mye age old decomissioned servers gotten for free is a real concern as well. In linux (and FreeBSD outside of jails), the easiest way to do this is to use encfs --reverse or gocryptfs which offers a similar option. However, using fuse in jails is not possible. So that option is off the table. So as far as I know, fuse-based solutions are not an option here.

Is there another possible way to achieve this pretty seamlessly, without using fuse? By pretty seemlessly, I mean able to autostart with FreeNAS/the jail. I checked out rclone, but it currently does not work with my backup service (Jottacloud) when using 2fa. Also, while it would suffice for my backup, it's not really a solution for syncing, as compatibility with other devices would be pretty non-existent. I don't care nearly as much for encrypted syncing as for encrypted backups though. The latter is important, the former merely nice to have.

edit: Edited to strike out offensive content.

 

[Chris Moore]

Instead of saying what is off the table, why don't you ask questions and get suggestions. You might actually learn something from people that know.

 

[g3rt]

If anyone has a suggestion on how to use fuse inside of a jail, it's not like I'm going to reply "THATS OFF THE TABLE!". However, I find that telling what you have tried already, that failed, is information that helps people understand what you want to achieve, what you have tried, and what to suggest.

I have never before seen anyone been offended by the term "off the table", and sincerely believe the people that know would not be so affronted that they would choose not to share their wisdom regarding using fuse in jails or other possible solutions.

Nevertheless, I thank you for your input (even off topic as it is) and shall include "off the table" on my list called "Phrases that for no reason whatsover might affront some people".

 

[Arwen]

I use GNU gpg for my much smaller off-site backups. Basically I create a TAR file of selected entries in my home directory, (writings, scripts, source code, etc...), then GZIP it to the max. Last, I then use GNU gpg to encrypt it. All 3 programs, (TAR, GZIP and GNU gpg), support pipelines, though this backup is small enough that I haven't bothered. (Though writing this down, made me update my backup script .

So in theory, you can use something like this;

cd /mnt
tar cvf - POOL_NAME | \
gzip -9cv | \
gpg --verbose --encrypt --recipient MY_ENCRYPT_KEY | \
ssh MY_REMOTE_HOST dd of=./MY_BACKUP_FILE.tar.gz.gpg


In my use case, using TAR, GZIP and GNU gpg allows me a bit more flexibility in performing the restores. Practically anything can be used, from Linux, MS-Windows and Android, to restore files.

Note: If you use a program that requires both key(s) and passphrase, make sure you have a copy of your key(s) available. My remote host is a VM which I control so I simple copied the GNU gpg keys to it, (but not the passphrase).

 

[g3rt]

Thanks for the suggestion, @Arwen Unfortunately, many backup and sync providers doesn't provide ssh access.

 

[Gab]

Hello,

For your information, it is possible to use FUSE and "encfs --reverse" on FreeNAS 11... but outside of a Jail. However this is a little bit tricky to set up, as FreeNAS does not provide Encfs => you need to recompile it manually and put it on the FreeNAS host system..

But in the end, this is working and I am using this solution in production for backing up an encrypted view of sensitive data to a remote server using rsync/ssh (there is cloud providers for rsync, but not a lot).

See details on the following thread:
https://forums.freenas.org/index.php?threads/bounty-fuse-mount-within-a-jail-encfs-sshfs.54133/

Hope this helps!