Hi,
here is a little HowTo save your data encrypted on a remote SFTP server.
My purpose is to backup my data encrypted to my webspace, which is provided by a shared hoster.
For the encryption I use ecrytptfs which is a file based encryption system.
Therefore you can use any file-based sync software like e.g. rsync.
The advantage is, that only changed files are retransmitted and not an huge container.
OK. Let's start.
We will mount the remote drive via SFTP (could also be another protocol) to the mountpoint e.g. /mnt/hoster-encrypted.
It is called "encrypted" because on this mountpoint we will later see the encrypted files.
Then we will put the encryptfs above this mountpoint. I did this on /mnt/hoster-decrypted.
You can also mount the ecrypts on the first mountpoint; for troubleshooting reasons I prefer two separate dirs.
Create the mountpoints:
root@omv~#mkdir /mnt (not shure whether this allready exists)
root@omv~#mkdir /mnt/hoster-encrypted
root@omv~#mkdir /mnt/hoster-decrypted
Then, if not yet done, install
root@omv~#apt-get install ecryptfs-utils
root@omv~#apt-get install sshfs
Import your servers ssh-key:
root@omv:~# ssh SFTPT-SERVER.NAME
The authenticity of host 'SFTPT-SERVER.NAME (x.y.z.a)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'SFTPT-SERVER.NAME,x.y.z.a' (ECDSA) to the list of known hosts.
root@SFTPT-SERVER.NAME's password: blabla
..
Connection closed by ...
Now check whether the mount of your SFTP-SHARE to /mnt/hoster-encrypted works with your credentials:
root@omv#echo YOUR-SFTP-PASSWORD | sshfs -o ServerAliveInterval=15 -o workaround=rename -o password_stdin SFTP-USER@SFTPT-SERVER.NAME: /mnt/hoster-encrypted/
If it works, continue with the ecryptfs overlay:
root@omv:~# mount -t ecryptfs /mnt/hoster-encrypted /mnt/hoster-decrypted
Select key type to use for newly created files:
1) tspi
2) passphrase
Selection: 2
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [b9896305da61b71b]:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=b9896305da61b71b
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=b9896305da61b71b
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [b9896305da61b71b] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs
root@omv:~#Youre ecryptfs_sig will be copied to /root/.ecryptfs/sig-cache.txt.
Create this file /root/.ecryptfsrc with the following content but replace "YourSignature" with the value from "/root/.ecryptfs/sig-cache.txt":
key=passphrase:passphrase_passwd=[YourPasswordInBrackets]
ecryptfs_sig=YourSignature
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n
ecryptfs_fnek_sig=YourSignature
Reboot
Create mount and unmount scripts and test them:
Sample unmount script:
umount-hoster.sh
#################################
#!/bin/bash
umount /mnt/hoster-decrypted
fusermount -u /mnt/hoster-encrypted
Sample mount script:
mount-hoster.sh
#################################
#!/bin/bash
echo YOUR-SFTP-PASSWORD | sshfs -o ServerAliveInterval=15 -o workaround=rename -o password_stdin SFTP-USER@SFTPT-SERVER.NAME: /mnt/hoster-encrypted/
mount -t ecryptfs /mnt/hoster-encrypted/test /mnt/hoster-decrypted
Now you can mount your webspace and save the data encrypted on it.
For example you can rsync the home dirs to it:
root@omv:~#rsync -rut -vv --delete /mnt/hd1/homes/ /mnt/hoster-decrypted(read the man-pages for the rsync parameters)
Attention:
Your ssh password is in plain-text in the mount-script.
Your ecrypts password is in plain-text in the file /root/.ecryptfsrc.
Copy /root/.ecryptfsrc to a safe place.
Test everything a couple of times. There is a risk of data loss.
If your editor is not unix-compliant, you should run "dos2unix" to your scripts and config file.
I tried to documentate everything exactely. But it may contain errors.
So if you encounter errors please report them.
More information about ecryptfs can be found here: https://help.ubuntu.com/lts/serverguide/ecryptfs.html