Encrypted backup to an SFTP server (WebSpace) with ecryptfs

  • Hi,


    here is a little HowTo save your data encrypted on a remote SFTP server.
    My purpose is to backup my data encrypted to my webspace, which is provided by a shared hoster.


    For the encryption I use ecrytptfs which is a file based encryption system.
    Therefore you can use any file-based sync software like e.g. rsync.
    The advantage is, that only changed files are retransmitted and not an huge container.


    OK. Let's start.
    We will mount the remote drive via SFTP (could also be another protocol) to the mountpoint e.g. /mnt/hoster-encrypted.
    It is called "encrypted" because on this mountpoint we will later see the encrypted files.
    Then we will put the encryptfs above this mountpoint. I did this on /mnt/hoster-decrypted.
    You can also mount the ecrypts on the first mountpoint; for troubleshooting reasons I prefer two separate dirs.


    Create the mountpoints:

    Code
    root@omv~#mkdir /mnt (not shure whether this allready exists)
    root@omv~#mkdir /mnt/hoster-encrypted
    root@omv~#mkdir /mnt/hoster-decrypted


    Then, if not yet done, install

    Code
    root@omv~#apt-get install ecryptfs-utils
    root@omv~#apt-get install sshfs


    Import your servers ssh-key:

    Code
    root@omv:~# ssh SFTPT-SERVER.NAME
    The authenticity of host 'SFTPT-SERVER.NAME (x.y.z.a)' can't be established.
    ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'SFTPT-SERVER.NAME,x.y.z.a' (ECDSA) to the list of known hosts.
    root@SFTPT-SERVER.NAME's password: blabla
    ..
    Connection closed by ...


    Now check whether the mount of your SFTP-SHARE to /mnt/hoster-encrypted works with your credentials:

    Code
    root@omv#echo YOUR-SFTP-PASSWORD | sshfs -o ServerAliveInterval=15 -o workaround=rename -o password_stdin SFTP-USER@SFTPT-SERVER.NAME: /mnt/hoster-encrypted/


    If it works, continue with the ecryptfs overlay:

    Youre ecryptfs_sig will be copied to /root/.ecryptfs/sig-cache.txt.



    Create this file /root/.ecryptfsrc with the following content but replace "YourSignature" with the value from "/root/.ecryptfs/sig-cache.txt":


    key=passphrase:passphrase_passwd=[YourPasswordInBrackets]
    ecryptfs_sig=YourSignature
    ecryptfs_cipher=aes
    ecryptfs_key_bytes=16
    ecryptfs_passthrough=n
    ecryptfs_enable_filename_crypto=n
    ecryptfs_fnek_sig=YourSignature


    Reboot


    Create mount and unmount scripts and test them:


    Sample unmount script:
    umount-hoster.sh
    #################################
    #!/bin/bash
    umount /mnt/hoster-decrypted
    fusermount -u /mnt/hoster-encrypted


    Sample mount script:
    mount-hoster.sh
    #################################
    #!/bin/bash
    echo YOUR-SFTP-PASSWORD | sshfs -o ServerAliveInterval=15 -o workaround=rename -o password_stdin SFTP-USER@SFTPT-SERVER.NAME: /mnt/hoster-encrypted/
    mount -t ecryptfs /mnt/hoster-encrypted/test /mnt/hoster-decrypted


    Now you can mount your webspace and save the data encrypted on it.
    For example you can rsync the home dirs to it:

    Code
    root@omv:~#rsync -rut -vv --delete /mnt/hd1/homes/ /mnt/hoster-decrypted

    (read the man-pages for the rsync parameters)



    Attention:
    Your ssh password is in plain-text in the mount-script.
    Your ecrypts password is in plain-text in the file /root/.ecryptfsrc.
    Copy /root/.ecryptfsrc to a safe place.
    Test everything a couple of times. There is a risk of data loss.
    If your editor is not unix-compliant, you should run "dos2unix" to your scripts and config file.
    I tried to documentate everything exactely. But it may contain errors.
    So if you encounter errors please report them.


    More information about ecryptfs can be found here: https://help.ubuntu.com/lts/serverguide/ecryptfs.html

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!