Encrypting files on the client before backup

I know UrBackup does not have encryption on the Client side (before the backup is done).
I have an user that needs his files to be encrypted before they reach UrBackup server.
The client is Windows and the UrBackup is a FreeNAS jail.
HAs anybody come with a way to do that?
Perhaps using a third party software on the client.

This use case is very specific, the files needs to be encrypted in a way the UrBackup server admin cannot see the contents of it.


You might want to investigate Cryptomator.

I have not used this personally, but I looked at it for use when having my files go up to the cloud. That’s what it’s made for. So that implies that you can be USING your files AT THE SAME TIME they are being encrypted and uploaded to the cloud. “Uploaded to the cloud” should be the functional equivalent of “being backed up by UrBackup”.

I can see potential issues with an encrypted single container (like TrueCrypt and it’s offspring uses). I can imagine upload client software - be that for cloud or UrBackup - might have issues keeping everything in sync as they’re trying to copy a large container that’s being written as they are copying. That just sounds dangerous. Cryptomator encrypts files as individual files, not as a big container. That sounds safer. With Cryptomator, your files appear to exist in two places. You work with them in the unencrypted place, and you upload them from the encrypted place. So you’d have to set up UrBackup with a backup path that points to the encrypted place (obviously!) Don’t accidentally point UrBackp to the unencrypted place.

But I have no personal experience with Cryptomator other than having researched it a little, installed it, and tested it for an hour or so. I decided not to use it, but not because of any fault I found with it. Instead, I decided to run my own cloud, using NextCloud software, and for that I didn’t need to encrypt like I would have had to for a public commercial cloud like I was originally looking at.

1 Like

I will definitely try this.
Thanks for sharing!!!

Wait, I just happened to think - if the UrBackup administrator takes an IMAGE of the target computer, then that image would include BOTH the encrypted and unencrypted areas of Cryptomator.

Also, realize that UrBackup runs with administrator privileges when it accesses the client computer. So in theory, UrBackup could be hacked to do anything it wants on the target client computer. Including working around your attempts at encryption.

And another thing to think about, and realize when I mention this is is not to disparage the UrBackup developers. But in general, an application developer (say, for UrBackup) is NOT a security expert. So it is pretty common for their software to have security holes, often times major ones. UrBackup’s developers are probably quite adept at programming backup and networking functions. But my guess is that for the security aspects of the software, they learned some things on the fly, and probably took off the shelf security suites and whatever and threw those together for their end result. When it comes to security, it is NOT enough to grab existing solid packages and cobble them together. It’s the cobbling together where you are really prone to screwing up. This sounds like I’m picking on and being harsh on the UrBackup developers. Nothing could be farther from the truth. I am speaking in general terms about application developers.

You should ponder this: If you can’t trust your UrBackup administrator and feel you must encrypt because of them, maybe UrBackup is not what you should be using. In order to use UrBackup, you basically give the UrBackup server (and it’s administrator) the keys to your castle.

Totally aligned with your observations.
In this particular case I am the admin, but I have an user that is very sensitive with his information (I completely understand the user, as he has Intellectual Property and Financial Information that must be protected, from anyone, including myself). I want to please the user as he has a legitimate reason to have this concern.
The UrBackup server is on premises, as his location, under physical protection, and not open to the Internet (other than receiving backups while he is traveling), I know that could possess a security risk and that support even more the idea of having the backups encrypted before they leave his PC.We are even considering allowing the backups over Internet only via VPN, but we havent gotten there yet.
We are not making Images for this particular user, just files, and just MyDocuments and Desktop, so , if the software you suggested can maintain an encrypted replica of those two folders on another folder, then I will point UrBackup to that encrypted folder, and thats it. The user is aware already that if we could find a way to encrypt files on the client, then he would be responsible for the encryption key, as I will never have it.
I just need to test how incrementals works (this user travels), if all works well, I will be able to provide this user with what he needs, thanks to your suggestion.
I will test it between tonight and tomorrow night.
Thanks again

Your could do a few things to protect yourself. When you are getting ready to start working on files that need to be encrypted, UNPLUG your network cable and SHUTDOWN the UrBackup client. Do your work. When done, lock everything back up tight in encryption (close Cryptomator, close Truecrypt, etc.) Then reboot your computer (to clear any remnants of unencrypted data from memory. Plug in your network cable and reboot.

Having done that, you’ve done a relatively decent job of protecting yourself from an administrator willing to hack UrBackup. It would be a pain in the butt to adopt this workflow. but if you’re really serious about this, what you need to do will not be convenient. Basically, convenience is the enemy of security, and vica versa.

[edit] We were posting at the same time. Now I see that YOU are the administrator. Oops! I think I just accidentally insulted you in that case. Sorry about that! [/edit]

1 Like

No problem!,
Advise taken anyways, as it is good.

Personally, I would recommend this. For the reason I already stated, application developers are not necessarily security experts.

For example, I run Plex Media Server. They is a dynamite media server. Quite good. And I let my family (the ones that don’t still live in my household) access my Plex server remotely. Plex provides a way for them to login to a Plex (the company) owned server and then bounce from there into my Plex system, provided I have registered my Plex system with Plex (the company) owned server.

Convenient, but I don’t trust Plex application developers to be security experts (not their fault, not blaming them). So in order to use my Plex server, my family first has to VPN into my LAN (OpenVPN hosted on my router), and then they use my Plex server as if it were local. This puts me in total control of who can access my stuff, I don’t have to turn that over to a third party. I create, sign, and distribute all the required certs and allow/revoke them as needed. I create the routing rules and iptables firewall rules to control who can access what. Plus, I am trusting the security part of things to the OpenVPN development team - a team I trust to be more security aware than the Plex development team (no offense intended to the Plex team - that’s just the way things are).

Similarly, the UrBackup team offers server verification and encryption of remote client backups. No offense intended to the UrBackup team, but I would be more trusting of the OpenVPN team to get all that done right, and securely. If your security needs are “light” (whatever that means), then the UrBackup provided verification and encryption may be all you need. Similarly, for a backup application, I wouldn’t want the OpenVPN team developing that, I’d want the UrBackup team to do it. Bottom line: UrBackup is not a security offering, it is a backup offering. OpenVPN is not a backup offering, it is a security offering. Choose which product will provide which service for you based on each one’s core competency.

There are various ways of backing up a system fully encrypted, however URbackup does not work that way.

Both methods fill particular needs and have benefits and drawbacks I’d look at Duplicati. The problem is the overhead since it cannot deduplicate multiple clients.