Syncthing & encfs working together
I am a big fan of syncthing to synchronize my local files across multiple devices, and I also use encfs to get encrypted version of folders.
encfs and reverse mode
There is also a nice feature in encfs, called reverse, that allow to get a virtual encoded filesystem based on any non encoded filesystem. It is useful to create backups in “less secured” areas such as cloud spaces, hard drives / SD Cards in offsite locations, etc. Please note that a security audit has since found some security flaws in encfs, but I guess this is still better than non encoded files, and I have not taken the time to move to something with higher security (like Cryfs). Another advantage of encfs is also to be widespread in distribution, and also available with little effort on Windows and Android.
encfs stores encoded version of your files and allow to give access to a virtual filesystem with decoded contents. encfs --reverse does exactly he opposite, and will offer you a virtual filesystem with encoded contents of non encoded files stored on your computer. So you don’t have to copy/synchronize your files in a secured container before snchronizing / backuping it. It is also possible to automate this in fstab, to get automatically mounted reverse encfs, but as encfs does not support natively fstab syntax you will need an intermediate shell script:
In /etc/fstab:
/root/bin/mount-encfs-std-reverse#/mnt/bk-hubic /mnt/bk-hubic_encfs fuse ro 0 0
In /root/bin/mount-encfs-std-reverse
#!/bin/sh
echo "<your password> | encfs --public --reverse -S $*
There are also options to get files encrypted during the synchronization process, but either they are immediately decoded after reception, or they are harder to decode after.
Problems with syncthing
There are some problems to use encfs reversed filesystem with syncthing:
syncthingexpects a.stfolderfolder to check the target we want to synchronize is really there (that is a good security to avoid destroying all your files remotely if your source filesystem is not mounted for any reason).syncthingcall this a marker and allow changing the name in a markerName option in the XML config file. You need to edit the folder you want to use and add the markerName tag to use the name of an existing folder in your encfs filesystem:<folder id="encfs_folder" label="encfs_folder" path="/mnt/encfs_folder" type="sendonly" ... > <filesystemType>basic</filesystemType> ... <markerName>uP-77qTZcu8WhCZGC8R2P1WI</markerName> ...syncthingwill try to load a.stignorefile to get ignore patterns from it. It is not a problem if the file is not found, but for some reason, encfs does not simply throw afile not founderror, but ainput/output errorthat makes syncthing abort the synchronization. There is some debate abut the way to fix it, but no solution was implemented:- syncthing point of view : https://forum.syncthing.net/t/dir-on-read-only-filesystem-folder-stopped-because-of-missing-stignore/18237 and https://github.com/syncthing/syncthing/issues/6171#issuecomment-557257895
- corresponding encfs open issue : https://github.com/vgough/encfs/issues/570
- if you want to patch syncthing, this should be the line of code where to patch to change input/output error to not exists ; but as it won’t be accepted and maintained over time, it is not a good solution in my opinion.
encfswill need the.encfs6.xmlfile to be able to mount a decrypted version of the folder
Workaround with mergerfs
There is another very handy fuse filesystem called mergerfs that does exactly what we would expect from its name, as it will merge two filesystems in a single one. We will use it readonly, but this fuse filesystem also works in read/write mode (and works very well).
We will create a folder with the file expected by syncthing in a /mnt/encfs_folder_stfiles folder:
.stfolder(created by example withtouch .stfolder).stignore(created by example withtouch .stignore).encfs6.xml(copied or linked from source folderln -sf <sourcefolder>/.encfs6.xml .)
And we will also create a /mnt/encfs_folder_merged folder to get the result of mergerfs, and configure the merge in /etc/fstab:
/mnt/encfs_folder:/mnt/encfs_folder_stfiles /mnt/encfs_folder_merged fuse.mergerfs allow_other,use_ino 0 0
You can now reboot or mount everything with mount --all and update your syncthing source folder to point on the merged one and everysthing should now be OK!
Android Application
I used to use Cryptonite, but it is no longer maintained, and no more available on the application stores. So I found EDS List, open-source and available on F-Droid, and quite efficient. That way you can synchronize your important files on your smartphone using syncthing Android App but keep them securely encoded in case of loosing your phone.
Optimisations de systèmes de fichiers ext4 (et tentatives zfs et btrfs)
Les systèmes de fichiers ne sont pas magiques, et comme tout, sont matière de compromis. Le réglage par défaut convient dans la très grande majorité des cas, mais pour des usages particuliers, il est nécessaire de bien comprendre leur fonctionnement et d’adapter les paramétrages.
Paramétrages réseau et VPN sous debian 12
Je boudais injustement NetworkManager depuis des années car je n’avais pas compris son architecture, et pensais à tort qu’il s’agissait d’un logiciel propre à la session utilisateur. Mais il s’agit bien d’un service complet exécuté sans session utilisateur, mais commandable depuis la session. Il comporte désormais quasiment toutes les fonctions...
Profil BASH
À l’occasion de mon passage sur debian 12, un problème avec zshque j’utilisais depuis 25 ans m’a forcé à passer sur bash, et donc à me définir un profil bash adapté à mes besoins.
Installation debian 12
Debian 12 “bookworm” est sortie en juin de cette année. L’occasion de rafraîchir mon installation debian qui datait de plus de 10 ans ! À propos de décennies debian fête ses 30 ans, bon anniversaire debian !