How to encrypt rsync communication? (rsyncd + stunnel, vs rsync over SSH, etc)

4

1

I don't know much about the specifics of rsync, SSH, stunnel, etc, but I'm looking for a way to make rsync backups, but the transfer of data over the network must be encrypted (the credentials, and the data itself). It looks like I have 2 options (do I have more?):

  1. rsyncd + stunnel: Run an rsync daemon on the remote machine, and set up stunnel to encrypt the communication between them (where stunnel is necessary because rsyncd by itself has no encryption)
  2. rsync over SSH: Just use the regular rsync command and set SSH as the remote shell, to encrypt communcation.

What are the pros and cons of each of these approaches from the perspectives of security, speed, efficiency, ease of administration, etc?

user779159

Posted 2013-06-17T21:52:59.253

Reputation: 249

Generally speaking: 1. It is more difficult to administrate more things as well as providing more things to break and or provide a larger attack area; also 2. Encryption strength vs speed will be inversely related. – Keith Reynolds – 2016-09-27T22:33:51.097

Answers

3

I think this will end up being a personal preference answer, but I prefer the rsync+ssh solution because

  1. ssh is always installed these days, but stunnel isn't always available.
  2. I don't have to manage yet another service (I'm already managing sshd)
  3. all of my troubleshooting happens in one terminal window if I need it (-vvv on ssh)

An example command rsync -av -e ssh user@host:/remote/dir /this/dir/

Finally, you do have at least one more option: a VPN. After you set it up once, it has the benefit of being transparent while you use plain old rsync and any other machine-to-machine communication you care to perform. I first considered this a problem if one of the machines is hacked, but it's not any different from using ssh/stunnel in that regard.

webmarc

Posted 2013-06-17T21:52:59.253

Reputation: 831

One may even consider cpu off loading the encryption by running the encryption layer on another host, when transferring between networks and encryption on the local networks is not a concern. – Keith Reynolds – 2016-09-27T22:23:35.193

Asked: 2013-06-17T21:52:59.253

Viewed: 2 092 times

Active: 2014-09-16T13:48:53.973