What is the best way to synchronize files off a "hostile" network?

Hey folks, I wonder if you have thoughts for me here. First of some background: I consider my work environment to be “hostile”:

• Microsoft windows 7/10/11, in varying states of updates (or lack thereof). Not even sure if all copies are even legitimate
• IT doesn’t literally care and only does the barest of minimum effort
• Network is on a flat topology and everyone can see everything.
• IT doesn’t do any monitoring or any sort of administration. Its the Wild West/Fury Road out there.
• I should probably talk to a higher up about improving security. We dont have a budget for that, probably. And IT only knows Windows and Microsoft so Linux is probably out of their line of expertise.

I installed Fedora in a machine that no one was using (contractor abandoned support) in my department and IT just shrugs and moves on.

With that said, what is the best way to synchronize files off these?

• Best scenario I have in mind is to use Google Drive + Cryptomator and sync my machine to the Google account used: I offload the actual securing of the network connection and let Google handle it. I may lose anonymity and maybe some privacy through this method but I find it acceptable enough. I am also thinking of substituting Google Drive with BackBlaze B2.

• I use a fully encrypted USB drive - I already am using a Veracrypt protected vault inside the Fedora install and I could either copy-paste files into it (minimizing wear) or sync the whole vault itself (very bad, will accelerate NAND flash degradation in my USB). This is very manual and tedious and I am actively trying to avoid this because we supposedly have the tech to avoid manual sync.

• Use Syncthing directly + VPN in my home network: TLS within Syncthing should be enough to secure me and the VPN should give me some anonymity and privacy but I don’t know and cant realistically check if malicious actors are already inside the work environment and may want to probe into my home network and I cant really defend myself from that kind of threat. I have pfSense with a basic setup that I keep updated and I don’t really know if that is enough.’

I don’t have network intrusion detection/prevention system installed and I don’t have the time to learn right now. I want to learn them in the future, though.

Not sure if you could really go wrong with any of these options. And if you use a full tunnel VPN, and have a firewall on your Fedora machine blocking all incoming connections, the network you’re connected to should be pretty much irrelevant.

I have yet to put a firewall on the work Fedora computer. I think I will do it next time I am at work. Thank you for reminding me about this!

I would use Storj + Rclone (through native integration) + watchexec combo for sync. This way, without Cryptomator in the way, you would also get an easy sharing through web interface. There’s no reason to stick with any centralized cloud storage instead of decentralized options that are more transparent with everyone’s data.

For example, you can see exactly how many nodes are online, what’s the capacity of the network, what is the network utilization, or even where your data is stored, etc.

I think I’ve heard of Storj through a TrueNAS app. IIRC it is a self hostable storage service that you can host a storage node for other people and it will pay you if your uptime is excellent. I’m going to have to look at this again. Thank you for reminding me this.