Jan Alphenaar wrote:



Ok, mystery solved. After the file is encrypted for the first time, my script deletes the key file. When the file is encrypted a second time, rsyncrypto creates a new key file, and also generates a completely new encrypted output file (that is why rsync is fully transferring the file again).


If the key file is not deleted, rsyncrypto delivers the same output file, so rsync can use the rsync algorithm.


This leaves me here with one question. Is it possible to have the same encrypted file without keeping the key file on my pc ?


Thanks for the replies.






Rsyncrypto, while doing lots of stuff differently, is still modeled after the classic encryption method. This means that there is one asymmetric key to unlock all the files, but each file is encrypted with its own symmetric (or "session") key. This is done for security considerations, and cannot be turned off without some serious rethinking of the security of the process.

If you delete the session key, the only place it is kept is, encrypted, inside the encrypted file. In fact, it is this re-encryption of the session key that is the header that changes between encryptions. If you just run rsyncrypto again, a new session key will be generated, and, obviously, the file will look completely different.

All is not lost. If you have the RSA private key and the old encrypted file, you can use rsyncrypto to recover the previous session key. Simply perform a decryption, and the session key will be generated. Then use that same session key to encrypt again.

Of course, with the session key being 68 bytes and your encrypted file being 1GB, the simplest thing to do is just keep the session key around and not erase it.


Shachar Shemesh
Lingnu Open Source Consulting Ltd.