Understanding the Sync Encrypted Folder

For Resilio Sync 2.3 we’re releasing a new type of folder: the Encrypted Folder. The Encrypted Folder extends the functionality of the existing standard folder by giving you the ability to have peers that hold data encrypted at rest. An encrypted peer can communicate with both read-only and read-write peers by sending and receiving data from them.

After you install Resilio Sync 2.3 (formerly BitTorrent Sync) you will see an additional folder type called “Encrypted Folder”. When you choose this option, you will be able to have an encrypted node as a part of the mesh of peers.

bt-report-2015_Layer_Comp_1

The Encrypted Folder is an extension to the standard folder. When you create it you will have three keys:

Read-Write key. The Read-Write key allows peer to talk with Read-Write, Read-Only and Encrypted peers and modify files in the folder. Read-Write keys start with D.
Read-Only key. The Read-Only key allows peer to talk with Read-Write, Read-Only, and Encrypted peers and to receive file updates to a folder and decrypt it. Read-Only keys that support encrypted folders start with E.
Encrypted key. The Encrypted key allows peer talk with Read-Write, Read-Only, and Encrypted peers and to receive updates to folder without the ability to decrypt or modify it. Encrypted keys start with F.

bt-report-2015_Layer_Comp_2

When data is being moved, clear-text (RO and RW) peers encrypt data using a Storage Key before sending it to an Encrypted peer. Data is always encrypted while in transfer using a Session Key.

With the introduction of the Encrypted Folder, peers can communicate in two ways:

When two peers that can decrypt data (RW and RO peers) talk with each other, they establish an AES-128 encrypted channel between them and send data through this channel. Data is encrypted during transit using a Session Key, and decrypted before being stored locally.

When an Encrypted peer talks with a clear-text (RO and RW) peer, they establish an encrypted AES-128 channel using a Session Key, but the clear-text peer additionally encrypts data with an AES-128 Storage Key before transmission. During transmission data is encrypted twice through the use of both Session and Storage Keys. When an encrypted peer receives data from the channel, it is still AES-128 encrypted.

An example use case for the encrypted folder is using Sync to share cuts of a promotional video with a client. You can create a folder with the edited cuts on two machines A and B using a Read-Write key. This way you can edit on multiple machines and have the data in the folder automatically sync. You can provide an Encrypted key to a 3rd party cloud provider or a NAS device at a different location, so that machine will get an encrypted copy of all the videos. It can then be used as an offsite backup and ensure availability of the files in case your machines are offline. Finally, you can provide the Read-Only key to your client so they can see the videos, but not modify or delete them.