Hot-copy the encrypted vault files while mount is live?

Help
1

I have the following situation:

  • I have several vaults up to 1TB stored on an NTFS disk (for journaling and cross-platform support)
  • I have the NTFS disk mounted at the moment at a Mac Mini M1 using Paragon NTFS for Mac.
  • Each vault is mounted on a custom mount point using FUSE-T.
  • Perhaps irrelevant but I have Docker Desktop running which access some of those same mount points as a volume defined in Docker Compose. It can read and write to that mount point, Cryptomator on the host will pick up the encryption.
  • I have Syncthings running on the host and I am planning to hot-sync the Vaults over my network to another disk. As in, copy all encrypted Cryptomator Vault files over Syncthings using a Send-Only (primary) and a Receive-Only (secondary) to avoid back-sync issues.
  • The data isn’t critical and even minimal (< 1%) dataloss is acceptable.

The data isn’t worth much, so it doesn’t justify expensive or overly complicated RAID setups, hence the simple setup of two external big USB disks on different machines. I have one additional in cold storage anyway.

My hope is that I can simply sync all encrypted Vault Files and in case the primary disk dies due to hardware failure, I can simply mount the synced vault from the second disk and promote that one to become primary and sync again. Is this a terrible idea, and if so why? What is the worst that could happen? Is the worst case a scenario I can simply recover from with minimal data loss? Is directory metadata stateless? cryptomator-wise, I’m not speaking about both disks failing, that risk is clear. I am also not trying to protect against ransomeware scenario’s here, that sync risk is also clear. I simply want to keep a sync of the encrypted vault, preferably without unmounting the vault when doing so.

A reason why I do not want to sync the decrypted contents is because then I need to reencrypt it again on the secondary machine. And I really want my disks and encryption to be cross-platform compatible and have a journaling filesystem so I am stuck with NTFS for now and I use cryptomator because I rather sync individual encrypted files than for example one huge VeraCrypt (like) container.

2

From my experience this should work.
Nevertheless, it seems that you are using the NTFS disks only for Cryptomator vaults. In that case you should consider to just encrypt the whole disk with veracrypt (means no veracrypt container file, but a complete encrypted disk). And sync the files directly between the disks. To me this sound less prone to errors.

2 Likes
3

For synchronization from disc 1 to disc 2 you can look at free file sync it has a real-time synchronization feature that will send newly changed files from one disc to the other.

For manual synchronization or via a script I would recommend rclone.

I use macrium reflect free version to image my C drive to my D drive. Periodically and I’ve never had any issues recovering vaults.

Here’s what I do to combat the catastrophic failure problem. I have a free app that can image my hard drive even while it’s up and running and I do a weekly full image and then daily incrementals to an second drive.

You can easily Mount the image and extract The Vault files.

Easeus is one and macrium reflect is the other. The free version of macrium can only do full and differential you need to paid version to do incremental.

If you have enough space you can image from one disc to the other.

Real time sync can’t copy open files but macrium and the other can.