I have whole-disk encryption on my laptop, so I’ve been frustrated that my backups were going to an unencrypted disk that sits in a shared office. The chance of that disk wandering off is low, but still: I wanted encryption. My first strategy was to make an 11GB .img file with dd and losetup, but mounting and unmounting were a pain and there’s not an elegant way to grow the image if need be. Next I tried using ecryptfs, but I twice ended up with processes I couldn’t kill -9 as root. Not fun. Additionally, that approach only encrypts the contents of files. Your filenames and directory structure are still plain to see, which would be too much of a disclosure for some people.
I was glad I found this howto, then, since it accomplishes everything I need:
- userspace: no root/sudo needed after initial setup
- nested in existing filesystem & directory structure
- grows dynamically
- simple
So let’s walk through how this worked for me. My laptop is named kant, the machine I’m backing up to garp (both running Ubuntu), and my username in all this is cmp. Substitute to meet your needs. Let’s start by setting up on garp:
sudo apt-get install encfs fuse-utils sudo modprobe fuse sudo adduser cmp fuse sudo sh -c "echo fuse >> /etc/modules"
So what we’ve done so far is install encfs and fuse, load the fuse module, add my user to the fuse group, and set things up so that fuse will be loaded automatically at boot time. You should now reboot your machine or the rest of this howto won’t work.
We’re going to make two directories. One will hold the encrypted filesystem and the data, and the other is the mount point. Since in my case I’m backing up kant, I’m going to call the mount point kant.
mkdir ~/encrypted mkdir ~/kant
The first time we use encfs to mount our encrypted directory, it will walk us through the setup process. That looks like this:
cmp@garp:~$ encfs /home/cmp/encrypted /home/cmp/kant Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?>
Please note that I used full paths for the the two directories because encfs isn’t happy otherwise. If you ignored my suggestion to reboot above, you’ll get a fuse error at the end of this setup process. Once you have picked your settings and passphrase, you’ll be dumped back at a prompt with your ~/encrypted mounted to ~/kant. You can now put things in ~/kant as you would any normal directory, but when you unmount they will be nice gobbledygook over in ~/encrypted. I made a cmp/ directory and did a bit of syncing by hand to see if stuff works. I was satisfied so then I unmounted. Unmounting is done thusly:
fusermount -u /home/cmp/kant
Perusing ~/encrypted showed gobbledygook as expected. Huzzah! Now on to the backups. I decided I’m lazy enough that I made two one-line shell scripts to mount and unmount my backup directory. I put those in ~/bin on garp. Here is ‘backupmounter’:
#!/bin/bash encfs /home/cmp/encrypted /home/cmp/kant
And then ‘unmountbackupdir’:
#!/bin/bash fusermount -u /home/cmp/kant
Again, those are in ~/bin on garp. Now let’s head over to kant, where I put ‘backuptogarp’ in my ~/bin:
#!/bin/bash
# mount the encrypted directory
# note that we use -t to allocate a tty
# so that the password for the encfs directory won't echo
ssh -t cmp@garp.metalab.unc.edu /home/cmp/bin/backupmounter
# back up homedir
rsync -a --exclude="evil" \
--exclude="plots" \
/home/cmp/ cmp@garp.metalab.unc.edu:~/kant/cmp/
# unmount the encrypted directory
ssh cmp@garp.metalab.unc.edu /home/cmp/bin/unmountbackupdir
After saving backuptogarp to my ~/bin on kant, I can open a new shell and simply type ‘backuptogarp’. I get prompted for an encfs password and then the sync is off and running. Huzzah! Please note that I have an ssh key that gets me from kant to garp, and I have set up my gnome session to prompt me for my ssh key passphrase at login:
So that the script above only prompts me for the encfs passphrase. If you don’t want to use ssh keys, my approach probably isn’t terribly convenient for you.
