File names and sync issue

[wards999]

If I have a local encrypted FS and have synced this with a cloud storage provider, what is the best approach to keeping them in sync?

For example, say I start with an unencrypted directory of 10 folders and each folder has 10,000 files.
I can create and mount a new local encrypted FS and copy all these files to the new drive letter.
I now have a directory structure of 10*10,000 encrypted folders / files
I can now upload the encrypted directory structure to the cloud.

If in future I re-mount the local FS and add a single file into one of the folders (e.g. folder 9), it is the only file that needs syncing to the cloud.
Running a full directory comparison over all folders and files can take a really long time, where in reality I know the new file was added into folder 9.

If instead, I mount the cloud folder and the local folder simultaneously, I can then work directly with the decrypted files and just upload the single new file, however it will be given a different encrypted filename in the cloud FS, which will then cause problems for later syncs.

Ideally the filename should remain encrypted, but be named the same in both locations.
It seems like folder names work this way but files don't unless I'm mis-understanding?

Thanks

[bailey27]

I think what you're asking for is for AES-SIV mode to work deterministically in forward (non-reverse) filesystems.

There have been questions about this in the gocryptfs forums. Currently, in gocryptfs/cppcryptfs, AES-SIV mode is deterministic only in reverse mode.

I think one of these options might work for you:

Option 1:
reverse-mode filesystems do the encryption deterministically, using AES-SIV.

So, if you want to keep your files in unencrypted form on the local machine, but have them encrypted and synced to the cloud, you could mount a reverse filesystem that uses your unencrypted files as source and sync the encrypted, reverse-mounted files to the cloud.

Option 2:
If you don't mind keeping your files encrypted and mounting them when you need to use them, then could just keep the encrypted files synced to the cloud.

Option 2 is how I normally use cppcryptfs. I have a directory under my Dropbox\Documents folder where I keep my encrypted filesystem (the encrypted files). When I need to use them, I mount the FS and make changes. Any changes I make cause the encrypted files to be automatically synced with Dropbox.

[wards999]

Yes, I believe option B is what I'm describing:

1. A local folder where I keep my encrypted filesystem
2. I mount this and make changes
3. At some stage I manually sync the encrypted changes (using freefilesync) to the cloud

It's step 3 that's the issue really. When I run freefilesync pointing at the local encrypted folder and the remote encrypted cloud folder, it takes a huge amount of time to find the (single) change, as it has to compare all the local and remote files each time it's run.

If, instead, I mount the local and remote filesystems side by side so that all the filenames are plaintext, it's easy to find and copy just the new folders and files directly to the cloud fs. However if I do this, the encrypted filenames get created in the cloud fs with different names to the local encrypted names, so this is not an option - am I doing something stupid that would make this easier? (i.e. a flag to ensure that a file named Test1 is always encrypted to the same string regardless of fs)

Thanks

[bailey27]

I think what you're asking for is for AES-SIV mode to be deterministic in forward mode like it is when it's used in reverse mode.

That way you could manually copy files from one encrypted view to another (or one unencrypted view to the other), or you could do a full sync of the local encrypted files to the cloud encrypted files and only the changes would need to be synced.

This has been asked for in gocryptfs but hasn't been implemented.

rfjakob/gocryptfs#108

However, I think you could just copy individual files from the local mounted fs to the fs mounted via the cloud (from one unencrypted view to the other), and you could also run the sync from one mounted fs to another (from one unencrypted view to the other). The encryption/decryption would be done on your machine, and only the encrypted files would end up in the cloud.

I avoid having to do this by using Dropbox which keeps the encrypted files on my local drive synced with the cloud. Maybe you should change to a cloud service that works like Dropbox?

[wards999]

If I only want to add a single file Test1.txt to an already encrypted FS (and have a backup FS, in the cloud or on a 2nd drive for example)

• Mount Encrypted FS 1

• Copy in file Test1.txt

• Encrypted filename is 6iIOJEArnKtkqhYKc3rn7dhWu7J7ldNZBqtM0usUfAM

• Mount Encrypted FS 2

• Copy in file Test1.txt

• Encrypted filename is yUPvrSBkmrL2HZnp7Ayv8Gtf7iEHZk-4w2JOms7SZbo

So although the underlying file Test1.txt is identical, when a later sync process is run on the unmounted file systems, it will see 2 different files and end up creating an extra file at both ends.

Alternatively, I could choose, at FS creation time, to not use filename AES and instead use plaintext. This way the filenames are identical. What I wanted to understand is if there was a way that filenames would still be encrypted, but that each encrypted name would be the same irrespective of FS? This way a file comparison would not create the extra file.

What I have to do instead...

• Mount Encrypted FS1
• Copy in file Text1.txt
• Run freefilesync on the local folder and remote folders
• Wait a really long time :)
• freefilesync copies just 6iIOJEArnKtkqhYKc3rn7dhWu7J7ldNZBqtM0usUfAM to the remote folder

[bailey27]

It won't work like you want the way things are now.

It would work like you want if rfjakob/gocryptfs#108 were implemented.

[wards999]

Thanks for the clarification.