The Samba-Bugzilla – Bug 4615
encryption with rsync: using ssh's algorithms?
Last modified: 2015-03-04 16:53:49 UTC
For safe backups there is the need to keep the files on another (far) place. This comes with the disadvantage that you need trust that place (which is almoust a contradiction :-)
So, encryption of these files would help so that files are useless for the receiver.
Using rsync via ssh for far backups, this came to my mind: Since ssh as encryption built-in, couldn't it be possible to encrypt the files so that the spawned rsync process (receiving side) does not even decrypt the files but simply saves them? Possibly in the same directory structure.
This would have the advantage over all externally added encryption that rsync *itself* is informed about that, no need to extra decrypt on the receiving side to checksum etc.
This is probably not so easy, since the keys which are used for encryption during an SSH session are negotiated in advance to it, are unique for the session (used only once) and get discarded when the session terminates.
Up to my knowledge, rsync does not get in "contact" with the SSH layer, which it is making use of, meaning the session keys are not trivially accessible.
You might want to consider using losetup for transparent encryption, e.g.
losetup /dev/loop1 backup.file -e aes512
What you're asking for is currently possible with an external utility, called rsyncrypto (http://rsyncrypto.lingnu.com). It, in fact, does not require you to trust the server you're storing your backups on.