Cloud Sync & Backup

End-to-End Encrypted synchronization architecture

Netcatty's Cloud Sync is designed for the paranoid user. We assume that Cloud Providers are Untrusted. Whether you sync to a private GitHub Gist or a Google Drive folder, we treat that storage as a public bulletin board.

The Encryption Architecture

Before any byte of data leaves your device, it goes through a rigorous encryption pipeline.

1. The Master Key

Your sync security relies entirely on your Master Password.

  • Derivation: We use PBKDF2-HMAC-SHA256 with 600,000 iterations and a random 32-byte Salt.
  • Result: This produces a 256-bit Symmetric Key (The Master Key).
  • Storage: This key is kept in RAM only while the app is open. It is discarded when you lock the app or quit.

2. The Payload

When you trigger a sync (or auto-sync triggers), Netcatty:

  1. Serializes your Vault (Hosts, Identities, Snippets, Rules, Known Hosts, and Settings).
  2. Encrypts the JSON blob using AES-256-GCM (Galois/Counter Mode) with the Master Key.
  3. Attaches the authentication tag (for integrity check).

3. The Transport

Only this opaque, encrypted binary blob is uploaded to the provider.

  • GitHub Gist: Uploaded as a file named netcatty-vault.json within a secret Gist.
  • Drive/S3/WebDAV: Uploaded as a binary file.

Zero Knowledge

If a hacker breaches your Google Drive, or if GitHub employees scan your Gists, they only see random noise. Without your Master Password, the data is mathematically indistinguishable from garbage.

Provider Setup Deep Dive

Uses a secret Gist as the storage backend.

  1. Generate a Personal Access Token (Classic) on GitHub.
  2. Scopes: Select only gist. No other scopes are needed.
  3. Paste the token into Netcatty.
  4. Netcatty will search for an existing netcatty.sync gist or create a new one.

S3 Compatible Storage (AWS / MinIO / R2)

Perfect for self-hosters.

  • Endpoint: The full URL (e.g., https://s3.us-east-1.amazonaws.com or https://play.min.io).
  • Region: Your bucket region.
  • Access Key / Secret Key: Your IAM credentials.
  • Bucket Name: The target bucket.

WebDAV (Nextcloud / ownCloud)

  • URL: The full WebDAV endpoint (e.g., https://cloud.myserver.com/remote.php/dav/files/user/).
  • Username / Password: Your Basic Auth credentials.

Synchronization Logic

Netcatty uses a "Last-Write-Wins" strategy with timestamp awareness.

  • Downloading: When you open Netcatty, it checks the cloud file's "Last Modified" timestamp. If the cloud is newer than local, it downloads and prompts to merge.
  • Uploading: When you save a change, it uploads a new version.

Conflict Resolution

If you edit Host A on your Laptop (offline) and Host B on your Desktop (online), and then connect the Laptop:

  1. Netcatty detects a "Divergence".
  2. It decrypts the Cloud version in memory.
  3. It compares the JSON trees.
  4. It merges non-conflicting changes (Host A and Host B are both kept).
  5. If Host A was edited in both places, the version with the latest local timestamp wins.

Disaster Recovery

Scenario: You lost your laptop.

  1. Install Netcatty on a new machine.
  2. Go to Settings > Sync.
  3. Select your Provider and authenticate.
  4. Netcatty will say "Found existing sync data".
  5. Critial Step: Enter your Master Password.
    • Note: Netcatty does not know if this is correct yet. It attempts to decrypt the blob.
    • Success: Your Vault appears instantly.
    • Failure: "Decryption Failed". You must try again.

Master Password Recovery

There is no "Email Reset". If you lose the Master Password, the encrypted blob in the cloud is useless. Your data is gone.

Port Forwarding (Tunnels)

Mathematical and architectural guide to SSH Tunnels

Snippets (Automation)

Scripting and variable interpolation engine

On this page

The Encryption Architecture1. The Master Key2. The Payload3. The TransportProvider Setup Deep DiveGitHub Gist (Recommended for Devs)S3 Compatible Storage (AWS / MinIO / R2)WebDAV (Nextcloud / ownCloud)Synchronization LogicConflict ResolutionDisaster Recovery