atppp’s Blog

某人 Windows 下一个硬 Raid5 不太稳定，怀疑芯片快挂了，于是打算把数据全部转移到另一个硬盘上。这个 Raid5 上有几百 G 数据，几万个小目录，几千万个文件，由于这个机器常常挂掉，直接复制是行不通的，于是他用了一些同步软件。同步文件不是一件复杂的事情，软件也多如牛毛，据说该哥们试用了 Karen’s Replicator、SyncToy、Allway Sync，还让老板买了一些别的软件，可是居然没有一个软件完成任务。不是容错能力差受不了硬盘文件错误，就是由于文件数量太大索性直接挂掉。于是一遍一遍重试，搞了四天连一半文件都没搞定，实在受不了了，问我怎么办……

于是我出了我以前出过的一个大法，把 src 和 dst 目录都 smbmount 到一个 linux 机器上，在 linux 机器上 rsync src dst。奇迹发生了，rsync 了一个晚上数据就全过去了。这个问题自然不一定要用这么诡异的方法解决，我只是很奇怪为啥这么多 Windows 下的软件都会不及一个外来妹 rsync……

今天某人一个 avi 死活放不了，我后来建议她试一试 VLC，居然就能放。 晕啊，难道我们进入共产主义了，要钱的软件做不过免费/开源的软件了……

rsyncrypto is basically rsync plus encryption. It’s not feature-complete I guess, but it works for me. Ubuntu source has binary package but compiling isn’t hard at all. Alright, so obviously man page has most of what you need, here I’ll write simple outlines.

Suppose your data source folder is ~/src, sync destination is ~/dst (this could be a mounted nfs or smb share), and rsyncrypto working directory is ~/rr.

A. Encryption

First of all, create backup keys:

openssl req -nodes -newkey rsa:1536 -x509 \
  -keyout ~/rr/backup.key -out ~/rr/backup.crt

Then the actual sync command is:

rsyncrypto --ne-nesting=2 --trim=3 -n ~/rr/map \
  -cvr ~/src/ ~/dst/ ~/rr/keys ~/rr/backup.crt

This command will encrypt filename and folder structure. So obviously folder modification time will not be preserved, and empty folder will be lost. Parameter --trim depends on your folder location. --ne-nesting depends on the number of files you will have in the future. In general, you may want less than 1024 files per folder, so you need 1024*16^n > total number of files, --ne-nesting=2 is enough for 200,000 files. After this encrypted sync, and suppose you lose everything except files in the ~/dst/, then you’ll need backup.key to cold decrypt all files. So be sure to keep backup.key at another place, preferably at another physical location. You can put the above command into crontab if -v is removed. Also, syncing files without ownership might result in errors, and it may be hard to debug because rsyncrypto does not have very friendly error messages - in which case you may try to fix the file permission problem, or you may run the command by root.

If you want a parameter similar to --delete in rsync, the corresponding parameter in rsyncrypto is --delete-keys. The parameter --delete alone in rsyncrypto does not remove filename mapping in ~/rr/map.

B. Decryption

Suppose you want to cold decrypt to folder ~/rec/. First you need to decrypt filename mapping:

rsyncrypto -d ~/dst/filemap ~/rec/filemap \
  ~/rec/filemap-keys ~/rr/backup.key

The above command generates ~/rec/filemap, so then you can decrypt all files:

rsyncrypto --trim=3 -n ~/rec/filemap \
  -vrd ~/dst ~/rec/files ~/rec/keys ~/rr/backup.key

C. Windows sharing time precision

When you sync to or from windows sharing, you need a parameter similar to --modify-window=2 in rsync, but unfortunately rsyncrypto doesn’t have it. You can change source code in file.cpp, search for st_mtime, and change

dststat.st_mtime!=status.st_mtime

to

abs(dststat.st_mtime-status.st_mtime)>2

There’s another similar line you need to change in the same file.