I am trying to set up a file sharing through a cloud storage accessible via SFTP between Macs and iOS/iPadOS devices and want to encrypt my files for additional security.
Setting SFTP file sharing is of course simple (through MountainDuck and Secure Shellfish, for example). But the encryption part is one where I just seem to unable to find a convincing cross-plattform app or solution. I initially thought my requirements were reasonably simple:
Can use SFTP and/or supports iOS Files integration (that’s the easy part)
No dependence on proprietary methods of access (such as creating an account)
End-to-end encryption of files, folders, or an encrypted image file
Trustworthy developer / development model (preferably open source, no anonymous US LLC)
But there always seems to be a catch somewhere:
Encrypted DMG images: hardly supported on iPhone/iPad, the few options to mount them on iOS seem rather bare-bones and cumbersome
Cryptomator: does not support SFTP storage
Boxcryptor: requires creation of an account, no thanks!
iCloud Drive, Dropbox: no end-to-end encrypted
VeraCrypt: No official iOS app
Disk Decipher: seems rather bare-bones, lack of app store reviews?
There’s of course of options for Macs, so iOS/iPadOS seems to be the limiting factor to the intended workflow. Does anyone have a good recommendation?
PS: I don’t even need to encrypt everything on the storage share/volume. Selectively encrypting sensitive files or folders would be good enough. For example, I’d be OK with using an encrypted zip (or 7z) file. It just should not be too cumbersome to use.
Have you looked at resilio?
I use it for Macs to NAS syncing, and looks like they have an iOS client too (which I haven’t used).
I think it’s all E2E, the Mac NAS part is.
SFTP is already encrypted end to end. I believe what you’re after is encrypted at rest? So it’s encrypted where you put it.
The best solution may be to buy some hosting for a VPS, and then create the Linux install on an encrypted drive (like FileVault would encrypt the drive). That way, once the VPS boots, all encryption is handled transparently. A Synology NAS would do the same, as you can encrypt the share - and then once you access the folder via SFTP, it’s encrypted on the drive, but the SFTP tools can access it (E2E encrypted with the transfers via SFTP and encrypted at rest by the Synology/server)
Resilo is mentioned, which can do encrypted at rest, but those files can only be accessed via the Resilo app, not SFTP.
I believe there’s an OwnCloud encryption option which does encrypt the files on the server and if you are your own admin then no one else will have access, including the host.
The hoster’s admins can at any point get access. In most countries this possibility is even demanded by law. The easiest way would be to mount the virtual disk of your share to another device.
I haven’t seen a hoster’s license agreement that excluded this contractually.
But you are right the newer owncloud version seem to offer server side encryption of files. Yet the question is whether a VPS is performant enough to do so.
Just this weekend I used Resilio heavily. I like it because it’s “snappy” (as opposed to iCloud, due to the direct syncing and no server infrastructure).
I started used Odrive as an alternative to the Google Drive apps on my M1 Mac while Google didn’t support them. While I have not used Odrive for this, it looks like you can select SFTP as a syncing destination. Odrive also has encryption that you can set up. Maybe worth a try as I think there is a free trial.
Another is CloudMounter. It lets you mount cloud servers, such as SFTP, as a network drive on your Mac. It will also encrypt. I’m not sure how this would solve your iPhone requirement, though.
Not quite. SFTP encrypts the tunnel between your machine and the one you are connected to, much like HTTPS. It does not encrypt the files themselves. True end-to-end encryption means the files are encrypted on your machine and can only be unencrypted on the machine you are syncing to, ideally with another layer of encryption for the transfer, and another for on-disk storage on the intermediary server.
I’m syncing sensitive data, in encrypted .sparsebundles to a standard GDrive account every night. ChronoSync has a wizard that will set up the entire procedure. And since I’m using .sparsebundles only those bands that have changed since the last sync are transmitted. So the performance is very good. But, of course, it won’t work with my iPad.
It appears the key to this is finding an IOS solution first. Everything else is pretty routine.