I want to do live synchronization of an encrypted directory with a server, such that the server only sees encrypted data.
Suppose I put the underlying ecryptfs data in:
/home/user/.Private
And I mount that directory at:
/home/user/unlocked
Can I update the files in .Private
(e.g. using rsync) and expect unlocked
to reflect the changes? Or is this going to just mess things up? Are there better alternatives for live synchronization of encrypted data?
UPDATE to clarify:
I want to only ever transmit encrypted data to the server -- the server is not trusted. So I want to see:
client <-- encrypted data --> server
There may be more than one client updating (decrypted) files; hence the live-synchronization desire:
client1
\
\--- encrypted data --\
\
server
/
/--- encrypted data --/
/
client2
So the client has a directory containing encrypted files -- chunked the way ecryptfs does it:
/home/client1/.Private/
|--- ECRYPTFS_FNEK_ENCRYPTED.Fabcde.../
| |--- ECRYPTFS_FNEK_...
|
|--- ECRYPTFS_FNEK_ENCRYPTED.Flaksd.../
|--- ...
This is mounted with ecryptfs:
/home/client1/unlocked/
|--- secret_file_1
|--- secret_file_2
Now, client1 is busily making changes to files in unlocked
. When the client makes changes, the underlying encrypted files in .Private
change as well. So a local inotify or some such notices the changes and rsyncs the encrypted base files in .Private
to server. The server, aware that client2 is also listening, notifies client2 that it should pull changes.
So my concern is: If client2 pulls down the underlying encryptfs chunked files into .Private while it is mounted in unlocked
, I suspect this will cause problems, no? This would require client2 to unmount unlocked
prior to syncing, which defeats the whole "live synchronizaton" idea.
If so, what are good alternative techniques for efficient syncing of diffs of an encrypted tree?