Recommended way how to sync sensitive files across different devices

Dear Qubes community,

I would like to ask you about your recommended way to synchronise sensitive files across different devices. For example, I work with the Cherrytree database file on a Windows PC and I would like to work with the same file on the Qubes machine. I could sync this file to the dropbox and create an appvm on Qubes that only contains the dropbox and the Cherrytree app.

It works, but I think there should be a more elegant way to sync files between devices. Can you recommend different ways?

Thank you
C.

rsync?

2 Likes

@CaesarVialpando

I would not suggest Dropbox. :confused:

Have you checked out Syncthing?

https://syncthing.net/

3 Likes

Dear @necker thank you very much for your recommendation.

I studied Syncthing and unfortunately it won’t be suitable because I don’t have the possibility to set the port forward on the router and/or UPnP. I tried OnionShare, but it won’t allow regular synchronisation, only one-time.

Thank you

Why don’t you recommend dropbox, what if it was combined with boxcryptor for example? (Boxcryptor – No. 1 Cloud Encryption Made in Germany)

Well, that certainly seems better than Dropbox alone. I don’t like Dropbox because they don’t respect user privacy. I don’t want to give them my money. Boxcryptor also has a fee. I recall that Veracrypt works well with Dropbox and it’s free.

As far as a quasi-mainstream paid service, I might opt for something like Tresorit. Ideally, I would set up something on a VPS, but I don’t trust my technically ability to do it securely.

For using syncthing, I have never needed to forward any ports on my router.

It is working for me without any port forwarding.

You should definitely try syncthing and see if it works for you without port forwarding, too.

Isn’t sync thing just using TLS encryption?

Yes. Supposedly the volunteer-run relay servers, when used (i.e. when firewall/NAT settings prevent devices from contacting each other), see only encrypted content.

But I haven’t reviewed the source code.

If I were to adopt it, I’d probably use encrypted containers/archives for sensitive financial/personal data.

I’ve also seen SpiderOak recommended in this context: No Knowledge - SpiderOak

B

rsync is a good suggestion … syncthing has always looked good in principal but ive never used it

using a cloud provider like dropbox to ‘bounce’ a ‘sensitive’ file from one machine to another is the very antithesis of transferring sensitive files.

If the systems are both on the same network then there are much better solutions than using a cloud service. If they are not on the same network, then at least GPG them before transfer via a 3rd party.

The problem is that I need to sync files from my PC at work to my home PC so that I can continue working on weekends. I don’t have the ability to open ports or enable UPnP on the company router. I need to have the most up-to-date version of the files on both devices (home and work) at all times. I’m looking for a solution to automate the whole process so that I don’t have to think about synchronization and don’t have to, for example, encrypt the files with GPG every time. On a local network rsync would be ideal, unfortunately I need to sync over the internet.

OK you cant control the work router. but if you have a machine at home which can act as fileserver (hell, even a Pi with a USB SSD will do) then forward the port on the home router. Set up a recurring rsync job on the work machine to ‘push’ the data over SSH+key to the home machine. If your home IP changes, use something like dyndns.

What you also need to be careful of with syncing any work files to home is any contractual stipulations and corporate data protection & infosec requirements. For example, if your employer has to abide by Sarbanes Oxley then your employer can be taken to the cleaners if you are syncing work data to home machines outside of your employers control

thank you, but I’m afraid I wouldn’t be able to set everything up safely enough to avoid making a mistake

Of course, I am allowed to sync files from my work PC and everything is in compliance with company regulations. The company is not subject to Sarbanes Oxley.

Corporate IT allowed me to use SSH, so I solved the problem with a cronjob with rsync. I would have a dummy question: thanks to rsync in cronjob I effectively sync from machine1 → machine2. Could someone please advise me how to set up cronjob on both devices so that the files I want to sync are always up to date on both devices? I.e. I make a change to the files on machine2 and cronjob syncs the latest version to machine1 and vice versa.

Yes. And?

This comment pertains to the title of this thread in general but is not part of his intended question:

I’ve been pondering this too. What if the remote is grapheneOS (I.E. a phone)? I suspect you can’t run rsync on grapheneOS as grapheneOS doesn’t have (and tells you not to try) root.

You use the syncthing.

1 Like

I think using rsync directly for bidirectional sync is going to be complex. There are complexities related to conflict resolution (home/work have conflicting changes) and devices availability. You should probably use a tool designed for this, such as syncthing, unison, or osync. osync is based on rsync: GitHub - deajan/osync: A robust two way (bidirectional) file sync script based on rsync with fault tolerance, POSIX ACL support, time control and near realtime sync

rsync supports both push/pull (i.e. initiating the transfer from any of the devices), so if you have SSH access from your corp network you can initiate the home-to-work sync as well.

Or are you actually asking how to set up periodic jobs on your qube?

Hi @naqvx, thank you for your reply and welcome in the forum.

Yes, the problem I’m solving is how to set up bidirectional sync of only the most recent files in a folder using rsync.

You can use find to get the most recent files and then feed the list of files to rsync.
But if you manually run rsync you will still end up with the complexities of bidirectional sync. Have you looked into osync?