home  /   who am i  /   my work  /   soap box

secure rsync


Secure Rsync can be downloaded below. To install the tool, extract the makefiles to any path with readand write permissions. Instructions on using the makefiles can be found in the manual, here. There is no seperate download for the source code, since, by their nature, makefiles are already open.

In addition to the makefiles, it may be necessary to download and install external dependencies.

Description Version Last change Download
Secure Rsync v1.1 June 24, 2012 Tarball / Zip / GitHub

external dependencies

The set of dependencies are the same between Linux, FreeBSD, and Windows. On Linux or FreeBSD, only the ports or packages 'rsync' and 'p7zip' are likely needed. On Windows, the following set of dependencies will likely need to be installed.

Dependency Description Website
GNU Make Executes the makefiles http://gnuwin32.sourceforge.net/packages/make.htm
cwRsync & SSH Provides rsync and SSH functionality to Windows http://www.itefix.no/i2/cwrsync
MD5 Generates MD5 hashes used to verify integrity of the repository http://www.fourmilab.ch/md5
7-Zip Encrypts and archives files to the repository http://www.7-zip.org


Perfoming a backup with Secure Rsync on Windows
Perfoming a backup with Secure Rsync


1. Overview

Secure Rsync allows users to securely backup data using rsync with any 'Unixy' OS, such as FreeBSD or Linux, as well as Windows.

The tool is configured to point at a directory containing data to be backed up. Initially, the data directory is encrypted to a repository. After the encrypted repository is created, rsync connects to a remote server using SSH and an incremental backup of the repository is performed. Because rsync is working with the encrypted repository, all data eventually stored on the server is also encrypted. When Secure Rsync is run again, the data directory is examined for any changes. Any files which were created, deleted, or modified are considered changed. Changed files are then encrypted or deleted from the repository. When rsync runs, only changes will be transferred to the server.

2. External Dependencies

The following tools are required by Secure Rsync:

Dependency Description
GNU Make Secure Rsync is composed entirely of makefiles. To execute those makefiles, GNU Make is used.
Rsync Used to synchronize the remote and local repository directories.
SSH Used by rsync to connect to the remote server.
7-Zip Secure encryption and archiving functionality is provided by 7-Zip. This tool is responsible for securely storing data in the repository.
MD5 After a backup is performed, it may be necessary to verify the integrity of the repositories on both the server and local computer. MD5 is used to verify the integrity.

NOTE: it is assumed the remote server provides md5 functionality.

3. Running

3.1 Configuring the Backup

Many parameters of Secure Rsync are configurable. These parameters can be modified by editting the file 'secure_rsync/defaults.inc'. The table below documents modifiable parameters.

Variable Description Example
data_path Specifies a path containing the data to backup. All files and directories in this location will be encrypted to the repository which is then synced with a server using rsync.
data_path := $HOME/my_data
repository_path A location to be populated with the encrypted files derived from the data path. Rsync works only with the repository path.

NOTE: The repository path must not be a subdirectory of the data path.
repository_path := c:/encrypted
remote_repository_path The location on the remote server to rsync with the local repository path.
remote_repository_path := repository/my_user
server_name The name of the server to connect to using SSH. This server must support the rsync protocol. The contents of the repository are then synced with the server.
server_name := my_user@srv1.rsync.net

3.2 Preparing a Command Prompt or Terminal

The makefiles expect the external dependencies to be available in the binary search path. Prior to running Secure Rsync, make sure the following executables are available:

3.3 Setting Up the Backup

Before any backups can be performed, the tool must be setup properly. Once a command prompt or terminal is running, from the Secure Rsync installation directory, the following command should be run:

# For windows:
Prompt> setup.bat
# For unixy OSs:
Prompt> ./setup.sh

Setup will first request a password to be used for encryption be specified. The password set here is required before any subsequent backups can take place.

After the encryption password has been set, the tool will generate SSH authentication keys. The credentials to login to the server will need to be entered at this point.

Once the encryption password and SSH authentication keys are generated, setup is complete. All setup information is by default stored in 'secure_rsync/conf'. This path may be changed in 'secure_rsync/defaults.inc'.

3.4 Performing the Backup

A backup can be performed only after setup has been run. Using a command prompt or terminal, from the Secure Rsync installation directory, the following command can be run to start the backup process:

# For windows:
Prompt> backup.bat
# For unixy OSs:
Prompt> ./backup.sh

Before the actual backup is performed, the encryption password specified during setup will need to be entered. Once entered, a list of files in the data and repository paths will be collected. The lists will then be compared to decide if files need to be deleted, added, or updated in the repository. Once the data path and repository path are in sync, a connection to the server will be established and rsync executed. Once rsync completes all files in the path will have been synchronized with the server.

3.5 Restoring Data

Data which has been backed up can also be restored. From a command prompt or terminal, in the Secure Rsync installation directory, run the following command to begin the restore process:

# For windows:
Prompt> restore.bat
# For unixy OSs:
Prompt> ./restore.sh

Before data is restored, the encryption password specified during setup will need to be entered. Once entered, the repository on the server will be synchronized to the repository on the local system. After the local repository is in sync with the server, the files in the local repository will be decrypted and synchronized with the data path. Once the restore command completes, the data path on the local system will contain all the data from the server repository.

3.6 Verifying Repositories

It is sometimes necessary to verify the files in the data path match the files stored on the server. From a command prompt or terminal, in the Secure Rsync installation directory, run the following command to begin the verification process:

# For windows:
Prompt> verify.bat
# For unixy OSs:
Prompt> ./verify.sh

Before any verification begins, the encryption password specified during setup will need to be entered. Once entered, the verification process will begin. First, the set of files in the data path and the repository will be compared to verify the set is the same. Next, files in the repository will be decrypted and compared with the unencrypted content found in the data path. Finally, MD5 hashes will be generated on both the local system and on the server and compared. If any of these checks fail, the offending file names will be printed to the console.

3.7 Environment Variables

There are a couple of environment variables which can be used to slightly change the behavior of Secure Rsync. These variables are listed below:

Environment Variable Description
encryption_password To avoid password prompts, this variable can be set to the encryption password. There may be security risks involved, however, as the password will be stored as plain text and visible to any process which inherits the environment variable.
summary_only If set to 1, performing a backup or a restore won't actually change any files. Instead, only a summary of the actions which need to be taken will be printed.

4. Caveats

There are a couple of shortcomings to be aware of before using Secure Rsync.

5. Backup Servers

Secure Rsync was designed to work with (though is not officially supported by) backup servers hosted by rsync.net. However, any servers which support SSH and the rsync protocol should be compatible with Secure Rsync.

6. Licensing

Secure Rsync is free software. Andrew Gottemoller licenses the software on this page to you under the terms of the GNU General Public License as published by the Free Software Foundation; you can redistribute it and/or modify it under the terms of the GNU General Public License either version 3 of the license, or (at your option) any later version.

There is NO WARRANTY for Secure Rsync, express or implied, including the implied warranties of MERCHANTIABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU Public License along with Secure Rsync. If not, see <http://gnu.org/licenses/>.

7. Alternative Licensing

A special license for Secure Rsync is available if you are unable to meet the conditions of the license described above. For more information, please contact me.