Is there a way to encrypt a mounted file system for off-site backup?

1

1

I want to efficiently back up an encrypted copy of my hard drive. I am currently using rsync to backup an unencrypted copy, and I find it quite efficient.

I looked at duplicity and rsyncrypto, but duplicity makes incremental backups, and rsyncrypto uses a unique key for each encrypted file. Duplicity also ran out of memory, and I would need to backup the rsyncrypto keys somewhere. I find these to be space-inefficient, so I don't want to use them.

What I think would work well is if I could loopback/bind mount / and backup the encrypted mountpoint. I looked at eCryptfs and EncFS, but they both seem to only mount encrypted directories, and not allow encrypting a mounted directory. They both support encrypting the filename, which is also a desirable feature.

If I could have an encrypted version of my file system, then my existing rsync-backup would work efficiently. When very little has changed, only the file names need to be encrypted.

Is there a way to encrypt a mounted directory as another directory? Any other suggestions?

Jayen

Posted 2012-01-14T04:55:51.437

Reputation: 443

Answers

5

ugh, i spent way too much time looking for an answer before posting this question, and now i find the --reverse option to encfs does what i want. here's my backup script:

#!/bin/bash
set -e
set -u
CP="/usr/bin/sudo /usr/bin/rsync -aAhHPxX --delete-excluded --del --ignore-errors --rsync-path=\"rsync --fake-super\" $*"
SOURCE='/'
MOUNTPOINT='/tmp/slash'
DEST='backupuser@backuphost:backupdir'

mkdir -p $MOUNTPOINT
mount -t fuse.encfs | grep "^encfs on $MOUNTPOINT type fuse.encfs" || /usr/bin/sudo /usr/bin/encfs --reverse $SOURCE $MOUNTPOINT

#don't cross mount points
EXCLUDE_LIST=$(encfsctl encode $SOURCE `/usr/bin/cut -d\  -f 2 /proc/mounts | /bin/grep -v ^$SOURCE$`)
EXCLUDE=''
for EXCLUDE_ITEM in ${EXCLUDE_LIST} ; do
  EXCLUDE="${EXCLUDE} --exclude ${EXCLUDE_ITEM}"
done

/usr/bin/rsync -haxHAXPR $SOURCE/.encfs* $DEST/../
#eval for the quotes in the CP command
eval $CP $EXCLUDE $MOUNTPOINT/ $DEST/

and to recover a file:

CP='/usr/bin/sudo /usr/bin/rsync -haxHAXPR --no-implied-dirs --rsync-path="rsync --fake-super"';
SOURCE='/';
DEST='backupuser@backuphost:backupdir';
MOUNTPOINT='/tmp/slash';
ENCRYPTED_NAME=$(encfsctl encode $SOURCE $*);
eval $CP $DEST/./$ENCRYPTED_NAME $MOUNTPOINT

Jayen

Posted 2012-01-14T04:55:51.437

Reputation: 443

Asked: 2012-01-14T04:55:51.437

Viewed: 1 476 times

Active: 2012-01-17T02:27:08.103