Java Eclipse Linux Operating Systems Web Technology Software Software Engineering Computing Societies
Portable computers such as laptops and netbooks have become very popular in recent years. Increasingly laptops have become people's primary computers. The convenience and portability of laptops also make them vulnerable to being lost or stolen. Valuable, personal information is often stored on these devices. Ensuring that this information is properly protected and recoverable even in the case of loss or theft is thus very important.
This article provides a step by step guide on how you can use ecryptfs to encrypt your data to prevent unauthorized access, and rsync to backup your data, making it recoverable even in the case of loss or damage of the laptop.
ecryptfs is a "POSIX-compliant enterprise cryptographic stacked filesystem for Linux". (See ecryptfs about page for more details on its history.) It is chosen by Canonical as the default encryption technology for home directories Ubuntu, and Google for Chrome OS, and has become widely used in the Linux community.
ecryptfs is a file system rather than block level encryption technology. There is no need to predetermine the size of the encrypted partition. It allows different sections of the drive to be encrypted with different passphrases, and protected independent from each other. It also makes it easy to make incremental, encrypted backups, as we shall see later. One downside is that ecryptfs is not as performant as some competing technologies. (See the LinuxUser article and the ecryptfs FAQ for a comparison with various other ecryption technologies)
ecryptfs offers considerable flexibility in determining which directories should be encrypted. This article focuses on encrypting the entire home directory. Other options, such as encrypting a Private directory, are also possible.
Ubuntu's installer makes it very easy to set up a user whose home
directory is encrypted. All you need to do is to check the
Encrypt Home Directory
check box. A passphrase for encrypting the home directory is
automatically chosen, and once it is set up, the home directory would
be mounted automatically on login, making the decrypted information
available to the user transparently.
If you forgot to set up encrypting during installation, you can use the
ecryptfs-migrate-home command to set up encryption. See How
to Encrypt Your Home Folder After Installing Ubuntu for more
details. You can also add additional users with encrypted home directory with the following command
sudo adduser --encrypt-home [user_name]
The first time you log on as the user with an encrypted home directory,
Ubuntu will prompt you to Record your encryption passphrase. This is
important if anything goes wrong and you need to recover the data. This
is also useful for mounting backups, as we'll describe later. Click on
Run this action now
, supply the password of the account as the passphrase, and write down
the encryption passphrase in a safe place for future use.
The home directory would be mounted automatically when the user logs on. While the home directory is mounted, its contents are available in decrypted form on the machine, protected from other users only by the Unix file permissions system. This is probably not a big deal, but if your data is especially sensitive you might want to consider logging out when you're not actively accessing the data.
One other note is that, if you want to be able to ssh into your account without staying logged on, you might need to do some additional set up. See SSH key authentication with encrypted home directories for more details.
This section contains some more details that could be helpful in understanding how ecryptfs works, as well as how an encrypted backup can be done. If you are interested only in practical advice, feel free to skip ahead.
For users whose home directories were encrypted using ecryptfs, the
actual data in the home directory is not stored in the normal location
). Instead, they are stored in an encrypted form, under the
is just a mount point for the decrypted data.
There is an additional directory
that is used to stored a few metadata items about the encryption,
including the mount point location, the wrapped passphrase (wrapped
using the user's password), and the mount signatures. For more details,
see the man
The important thing to note is that the ecryptfs passphrase is key to providing access to the encrypted directory. It is important to have it be available when needed during recovery. It is also important that unauthorized access is not given to the passphrase. Depending on the strength of the password, the wrapped passphrase file could be a point of weakness in the security chain. So treat it with care.
On mounting the eryptfs directory, the
directories are available as a symbolic link of the same name in the
Encrypted data is more sensitive to data corruption than normal files. A single bit flip could cause the entire file to be unreadable. Maintaining proper backups of the data is even more important than normal.
With private home directories protected by ecryptfs, the easiest thing
to do is to backup the data in
. Accessing that data does not involve mounting and decrypting the data
first. The data remains fully encrypted throught the entire process and
is thus appropriate for storage even on external, portable drives, or
on a remote server.
A description of a good backup strategy for ecryptfs can be found on Dustin's blog. In this section I provide a variation that provide an Apple Time Machine style backup that is fully encrypted.
is an extremely versatile backup and file syncing tool on Linux.
Machine for every Unix out there describes how it can be used to
mimic the behavior of
Machine. The basic strategy is to use the
flags, which will cause rsync to use hard links if the file has not
changed. We can then create a new directory for each backup instance,
and still keep the disk usage for the backups manageable.
I wrote a small Python script to automate the process. Note that the ecryptfs passphrase is not necessary for the backup at all. The encrypted files are simply copied as black boxes.
You can automate the backup process by setting up a cron job. Using
this script. To set up an hourly run, log in as root using
sudo su -, and edit the crontab using
The following crontab row will give you the desired behavior
0 * * * * [path_to_]/backup_home.py
To view or restore data, you'd need to mount the backup directory. You can either choose from the latest backup, or any one of the historical backups if you prefer. It is also a good idea to periodically verify that the backup is done properly, before you need it.
Assuming you have the cryptfs passphrase available, you should first issue
sudo ecryptfs-add-passphrase --fnek
This command will print out the ecryptfs signatures associated with the passphrase once it is done. By default, file name encryption is enabled, so in particular, you'll need to use the fnek signature later.
The next step is to mount the encrypted directory. To mount the latest backup for username, run
sudo mount -t ecryptfs /[backup_location]/[username]/Current/.Private/ [mount-point]
Assuming you set up the home directory using Ubuntu's installer or adduser tool, you can take the defaults in interactive prompts that follow. Note that file name encryption is turned on by default, so you probably want to select y to that question and supply the appropriate fek siganture.
That's it. You can now cd to the directory and examine and restore the data as appropriate.
For more detailed instructions, see Rescue Your Data from EcryptFS
External hard drives can be used to effectively store data backups. Before an external harddive can be used, they must be formatted. The article Linux: Partition and format external hard drive as ext3 filesystem
If you prefer to use GUID Partition Table for your drive, then
wouldn't work. You'll need to use GNU Parted tool instead. Note that
is not completely mature, so it might better to run
mkfs outside of
An example follows (assuming you want the ext4 filesystem)
sudo parted /dev/[device-name] (parted) mktable gpt (parted) mkpart primary ext4 [start]GB [end] sudo mkfs.ext4 /dev/[device-name]1
path that a USB drive is mounted on depends on what other USB devices
are available. As a result, it is in general better to use UUID instead
to specify the mount path of each USB drive. To find out the UUID for a
USB drive, run
ls -l /dev/disk/by-uuid
Assuming that you are running this in the same session as when you
formatted the disk, the name of the symbolic link that points to the
is the UUID you're looking for.
file by inserting a line along the lines of the following, substituing
in the UUID you found above, and the mount point that you want (which
should be an empty directory in the file system).
UUID=[UUID] [mount-point-path] errors=remount-ro 0 1
The approach I take is adapted from the one described
System Backup with rsync. A known set of directories, such as
are excluded from the backup, since they don't make much sense, and in
some cases could lead to recursion. To generate a Time Machine style
parameter is also specified. This results in a command like the one
rsync -aAXv --exclude=/dev/* --exclude=/proc/* --exclude=/sys/* --exclude=/tmp/* --exclude=/run/* --exclude=/mnt/* --exclude=/media/* --exclude=/lost+found --exclude=/home/*/.gvfs --exclude=/var/lib/pacman/sync/* --link-dest=[last_backup_directory] / [backup_directory]
In practice, I use a similar script as the one I used for backing up home directory to handle creation of backup directory names with timestamps, creation of convenience soft links, and to handle any error conditions.
A Time Machine style backup is great for keeping historical snapshots, making it possible to go back to a previous state of the data. However, there are many different ways the backup can go wrong: hard drive failures, theft, physical disasters, human error, software bugs or malware can all cause the backup to be inaccessible or lost.
I recommend having at least two backup copies of your home directory and any other critical data. It's also a good idea to store the backups in two separate locations to minimize the chances of both copies being destroyed at once. In my case, I store one backup harddrive at home, another backup harddrive at work, and rotate between them periodically. This way, in the worse case, you'd not lose more than the rotation period's worth of data. The backup copies are fully encrypted to make sure even in the case of theft or loss of the physical media, the chances of other gaining unauthorized access to your data is minimized.
I also keep a full system backup in a third drive at home. This allows me to preserve any system configuration and make it easier to recover in case I encounter a bad hardware or software issue that require reimaging my machine.
Written by Mike Kwong