A first for me - asking for a friend : encryption

OK - here’s the scenario…

My Ubuntu 20.04 laptop has data on there, most of it I couldn’t give a rat’s @rse if someone got it - but - some of it is sensitive, and some of it is possibly “confidential” customer information…

That data gets sync’d across my “infrastructure” using Resilio Sync (e.g. my NAS, my RPi4, 3 x Ubuntu 20.04 machines, my work’s Windows 10 laptop, my iPad Pro 12.9").

What I’d like to do is encrypt two of the three folders I sync (three separate “sync folders” in Resilio - I don’t care about my music folder being encrypted), and it ONLY has to be on one computer - i.e. after the encrypted “stores” are mounted (hopefully automatically, or by a quick and dirty shell script), I fire up Resilio Sync (probably from the same crude shell script) and get them synchronised, but only on that one computer (that I commute with), everything else can store it on “plain Jane” ext2/3/4 exfat/NTFS/bitlocker filesystems, e.g. my Win10 laptop at work has bitlocker or whatever the crap Microsoft call their encryption, and if that gets lost or stolen, hopefully the data will still be secure…

I don’t really care about the computers I keep at home - if someone breaks in and steals one, then data security is the least of my worries…

So - what I wanted to do, was encrypt :
~/ResilioSync/motorforker (mostly shell scripts, but there are few that reference other files in the same sync folder that contain passwords [like an expect script I use to stay connected to work’s hideous Checkpoint VPN]).

-and-

~/ResilioSync/bigguns (lotsa images/memes I snag, a bit of eye candy [attractive ladies and motorcycles mostly]), but most importantly, documents I need to do my job that I wouldn’t want nefarious entities to violate…

I used to use TrueCrypt yonks ago, as the same vaults could be opened on Windows or Linux machines, but it looks poorly maintained and probably out of date…

And I spotted an article from our very own “It’s FOSS” - but - it mentioned having to use a PPA - I NEVER use PPAs, avoid them like the plague after being stung by dependancy hell issues after updates et cetera.

AND : here’s the gotcha, I really couldn’t be @rsed re-installing Ubuntu on this laptop and setting it up again from scratch to use the default “encrypt my whole filesystem” - which I REALLY should have done (I used to have this laptop setup that way)… I’ve installed too much, and got it running sweet, and not really too keen on the disruption a re-install would entail… I guess it’s a not huge amount of stuffing around… I could do it on the weekend I suppose… oh well…

It’s just a shame that Ubuntu 18 didn’t / doesn’t support ZFS out of the box like 20.04 does (because of a few dependancies - i.e. Checkpoint SNX VPN client, and Citrix ICA client, which ONLY install on 18.04, I have to install 18.04 first, then upgrade) - 'cause then I could just create an encrypted zvol on my existing ZFS “root” zpool and mount that and be done with it…

Also - if you hadn’t gathered by now, not really asking for a friend, it’s for me!

If you used to use TrueCrypt, I can recommend its successor, VeraCrypt: veracrypt.fr which is actually regularly maintained.

cheers mate - I’ll check it out… and report back, if successful, I’ll mark your answer as “the final solution”!

Am using it regularly with an old TrueCrypt volume and works flawlessly. Can recommend it, as well.

If it isn’t too much of a hassle, you can still install it manually.

I also have used veracrypt and it seems to be 100% compatible with TrueCrypt. Well at least files created with TrueCrypt and being access by veracrypt. I have not tried the reverse.

OK - tentative success…

I’ve setup 2 veracrypt “crypts”, linked my RSL (resilio sync) sync folders to those mounts, and it seems to be working… unfortunately RSL knows they’re links, so I’m syncing e.g. /media/veracrypt1 and /media/veracrypt2, to more meaningful named “targets” on my other RSL peer machines…

But so far, so good… I feel a bit more secure anyway… got the warm fuzzies in the cockles of my heart anyway…

Rebooting will be a bit of a PITA - I’ve set RSL to manual start (it’s a simple “systemctl --user start resilio-sync” away), so I can manually mount the veracrypt volumes beforehand… till I get my head around doing the mounts from a shell script (but then storing the mount arguments in a plain text file would kinda defeat the whole purpose of this exercise!)…
-note-
still got a sense of impending doom however - envisioning a nightmare scenario should I forget my encryption pass phrase, when that pass phrase is stored in my KeepAss2 database, which is itself, stored inside the freaking VeraCrypt crypt!

But there are ways and means… I can always try and grab stuff off other machines that aren’t encrypting my resilio shares (note RSL does encrypt the p2p sync data traffic)…

Further update - figured out the CLI options and dependancies :

Stopped Resilio Sync on the 2 x folders, and stopped the systemd daemon :

systemctl --user stop resiliosync

In the VeraCrypt GUI - unmounted the two vaults…

On CLI :

veracrypt -t -k "" --pim=0 --protect-hidden=no --filesystem=ext4 $VAULTFILE /home/$USER/ResilioSync/$MOUNTPOINT
(for each - i.e. 2 x )

Then systemd start RSL daemons again :

systemctl --user start resiliosync.service

Then unpause sync in the RSL WebUI (e.g. on https://localhost:8888/)

And I’m cooking with methane!

I might actually do this on a few more machines… now… don’t think I’ll try on anything less than an i7 though (e.g. certainly not on an NTC CHIP with a single ARM core and 0.5 GB RAM!)…

Thinking about security got me a big paranoid, and realised I had a few holes in places here and there, and bloody RSL doesn’t even care, e.g. if I set a file to permissions 0400 on one RSL sync, no other machines get that :

Machine 1 :

ls -al secretfile 
-rw-rw-r--  1 x x       0 Aug 13 21:15 secretfile
chmod 0400 secretfile 
ls -al secretfile 
-r-------- 1 x x 0 Aug 13 21:15 secretfile

Machine 2 :

ls -al secretfile 
-rw-rw-r-- 1 x x 0 Aug 13 21:15 secretfile

Freakin’ PITA! Might have to do some reading up on Resilio Sync, there’s gotta be a way to have the same attributes, sync’d on shared files!

There are some folders, and files, I want either 0400 or 0500 on, so I had to go to like 8 different computers and do it manually! Pretty sure Dropbox did this properly…

I might even log a support ticket, and a forum post, at ResilioSync and see if there’s an answer…

Managed to past my 0400 and 0600 and 0700 octal permissions issues… parent folder is 0700, all files are 0600, except for the one expect script I use daily, which is 0700…

while usable, and “working” I don’t think this veracrypt solution is going to be workable long term - e.g. I already filled up one of my crypts ( I let Resilio Sync “keep everything” and why not? mostly text files, but I do half hourly updates of Covid19 data from Johns Hopkins - amazing how much disk space that kinda snapshotty behaviour can chew up)…

I will either bite the bullet and re-install onto a Ubuntu encrypted root partition, or, follow this guide :

I don’t like this part about that:

ZFS whole disk formatting uses GPT partitioning. In order to boot a GPT disk, you need to EFI boot with an EFI partition present, or legacy (MBR) boot with a GRUB BIOS partition present. The structure automatically created by ZFS whole disk formatting will only allow for the latter to be done.

Thanks for the heedings my fellow foSSers…

Just wiped this laptop and now re-installing 18.04.5 and using full disk encryption (the default version that ships with boobuntu)…

Got it syncing my 200 GB of Resilio Sync data now - got checkpoint SSL VPN client installed… next up configure zsh with oh-my-zsh and then do-release-upgrade… hmmm… remmina… sayonara, Google Chrome… tmux… ipcalc… inkscape, gimp, kolourpaint… vlc… synergy… keypassX / keepass2… gnome tweaks… that should just about do it…

I no longer need 18.04 to install Citrix ICA client - I’d been using 13.x of it - and only realised the other day that “Citrix Workspace App 2006”, is actually version 20.06 - STOOPID naming / versioning - “2006” makes it sounds so noughties - “Hey Citrix - the noughties called they want their post Y2K stuff back!”

Should be all sync’d and updated ready to take to the office tomorrow morning (working 2-3 days a week at the office of late) - and if it gets “half inched” (rhyming slang for stolen - i.e. “pinched”) or lost - the data’s encrypted…

Having separate vaults with VeraCrypt proved unworkable, and I’m pretty sure it slowed Resilio Sync down… it was always playing catch up with the master (we’re not allowed to say that anymore are we? or is it just slave that’s bad?) - whereas I didn’t notice this happening when I previously used boobuntu’s whole disk encryption…

Note: this laptop supports both UEFI and legacy - but I use UEFI - just seems faster…