Backup strategy for eCryptfs – Valuable Tech Notes

We have a small network with a Ubuntu server in the middle and Ubuntu notebooks around. The notebooks all use eCryptfs to encrypt the whole home directory of users. Usually, there are two or more users per notebook. The backup procedure stays inside the network, so we are fine with transfering the files unencrypted to the server. We'd like to go with an rsync based solution, but are fine with others, too.

We ran into difficulties when trying to backup the home directories of the notebooks, that brought us major headaches. It boils down to this:

If user A is logged in, the home directory is decrypted, and the encrypted files in /home/.ecryptfs/A are locked against reading from other processes (which is a good thing)
If user B is not logged in, his home directory is not decrypted, there are only the encrypted files in /home/.ecryptfs/B.
We need to have a backup script, that can run, while user A is logged in (because she starts it manually in our case) and user B may or may not be logged in (usually not).

Now the question is: What should we backup? If we go for the encrypted data, the stuff of user A cannot be backed up. Decrypted data means on the other hand, that user B must be logged in, too. And mixing both leads to a fun time, when it comes to restoring something.

Are there perhaps other solutions to this problem, that we missed?

Best Answer

Are you sure that /home/.ecryptfs/A is locked for reading? I use ecryptfs and while I'm logged in and can browse and read the files in /home/.ecryptfs/myusername/.Private. I just tried going into that directory (and sub-directories) and opening files (using vim -b) and I could read them fine. I'd certainly want them locked for writing, but I don't see why they'd be locked for reading. What OS version are you using? (I'm on Ubuntu Lucid 10.04). Maybe ask a separate question about errors you're getting, because maybe something else is causing the problem.

To directly answer your question - back up the contents of /home/.ecryptfs/. This will backup (encrypted copies of) all the files for all users.

In addition you ought to be able to decrypt the files if necessary. So you should store the unwrapped passphrase somewhere secure, in case the user forgets their password, leaves ... To obtain it, have the user run

ecryptfs-unwrap-passphrase

while logged in, and store the result somewhere. It's small enough that you could write it down (~~double~~ triple check it) and store it in a safe, or have two people keep half of it each or some such, depending how much security you require.

Otherwise you would need /home/.ecryptfs/*/.ecryptfs/wrapped-passphrase and the users' passwords.

You should also note that rsync won't be able to speed up file transfers when syncing encrypted data. Any change in the unencrypted file will completely change the encrypted file. And compression won't really work with encrypted data. This shouldn't be a big issue for your case, where the sync is across a LAN, but may be important for other people reading this question. Though rsync can still check if an encrypted file is unchanged, so it won't have to re-transfer unchanged files.

Readers of this question might also be interested in this guide to backing up by the maintainer of ecryptfs.

Best Answer

Related Solutions

Home Backup Strategy for Large Amounts of Data

Ubuntu – Using ecryptfs encrypted home directories with Dovecot

Related Topic