
Ask HN: Secure file sync solution (2016 Edition) - sinatra
When it comes to security, the main test where all major file sync services currently fail is: Can they have access to our files if they want to?<p>For them to not have access to our files, they need to support client-side encryption with the private key provided by the client. And, open-source the client part so that the security community can verify that the client indeed encrypts with the said key.<p>As far as I know, all major services only encrypt files during transfer, but not at rest (ie, on their server). This means Dropbox, Box, Google Drive, SkyDrive, etc can access all your files.<p>You can use an encrypted file system (ex, EncFS+FUSE or TrueCrypt if you still trust it) on top of one of these services (esp. Dropbox because it supports block level sync), but TrueCrypt is inconvenient as you need to remember to mount&#x2F;unmount it after use. And EncFS+FUSE is error prone (I&#x27;ve had some files become corrupted) and not that secure anyway.<p>Services that do support client-side encryption (AeroFS, BTSync, SpiderOak, etc) seem to have other issues (Closed source client, poorly performing client, etc). As far as I know, Box&#x27;s KeySafe also only claims that Box won&#x27;t have access to your keys. They will still have access to your files (which is what the keys are supposed to protect anyway).<p>In the open source world, people have mixed opinion about ownCloud. Syncthing appears perfect (if you&#x27;re willing to setup your own VPC as a hub). The only issue is that you want the files to reside on that hub in encrypted form (treat the server as untrusted). Currently, the files are exposed on the server, and if a hacker can get into the VPC, they have access to everything. Git-annex and Unison can be made to do file sync, but as far as I know, that&#x27;s not the main use-case those tools focus on. I am not sure if they support an untrusted server either.<p>What file sync solution do you use today? What kind of issues do you have with it?
======
koolba
> Services that do support client-side encryption (AeroFS, BTSync, SpiderOak,
> etc) seem to have other issues (Closed source client, poorly performing
> client, etc). As far as I know, Box's KeySafe also only claims that Box
> won't have access to your keys. They will still have access to your files
> (which is what the keys are supposed to protect anyway).

I can't imagine anyone with any understanding of security being willing to use
a closed source client to handle encryption. If you don't know how it's
working, you don't know it's working.

> What file sync solution do you use today? What kind of issues do you have
> with it?

For servers, configs, and general "small stuff": tarsnap

For big/static things: GPG + S3

For ultra private: pass + git on a private server

No issues with any of these and all three are highly recommended.

