automatic file encryption on NFS or RSYNC for remote incremental backup?

Question

What solutions should I be looking at to allow an incremental backup via rsync over nfs4 to allow files to be encrypted on the backup host?

I have zero control over the backup host's software so the encryption would obviously have to be done on the client side. I want incremental backup to still work (though it can be whole files, I don't want partial file copying) because of low bandwidth availability.

Seems strange neither NFS or RSYNC have this ability built in after all these years unless I am missing something.

I found rsyncrypto but it doesn't look updated for a few years now and not as transparent of a layer as I hoped.

Answer 1

The encfs overlay filesystem could be used for this. Normally it is given an encrypted directory, and allows transparently accessing the decrypted files in it. With the --reverse option, however, it works in the opposite direction – given a regular directory, it allows reading encrypted files through the mountpoint. So you could point rsync at the reverse-ecryptfs, and let it copy the encrypted files.

# encfs --reverse /home /mnt/encrypted-home
# rsync --various-options /mnt/encrypted-home/ /mnt/nfs-backup-server/

However. By saying "over NFS", you seem to imply that rsync runs only locally, writing to the server using NFS only. On the one hand, this means that rsync isn't going to be at all efficient – it cannot do partial copies without first reading the old version from the server, and if it did that over NFS, it'd use more bandwidth than with whole-file copies.

On the other hand, it means you can use encfs (or other alternatives such as eCryptFS) without the 'reverse' mode, by directly mounting the destination directory using encfs (rather than the source). This way you get a wider choice of overlay filesystems, as not all of them have a 'reverse' mode.

# encfs /mnt/nfs-backup-server/ /mnt/encrypted-backup/
# rsync --etc-etc-etc /home/ /mnt/encrypted-backup/