sshfs + encfs + rsync = encrypted remote backups
March 8, 2009
I am a backup freak. My home setup encompasses a file server that has 2 disks mirrored against each other using RAID1 and a second server that rsyncs its content against the main file server every night. But having 3 local copies of my data is not enough. What if a nuke fell over Stockholm, destroyed my home but left me alive? Where would I find a backup of my cvs repository then? (assuming I would care)
So I needed one more backup. Abroad.
A friend provided me with a ssh account on a server with a fat disk. But what if thieves grabbed my friend's drive? I would not want them to play with my cvs repository! So I needed the remote backup to be encrypted. An other friend came up with a brilliant suggestion: use an encrypted filesystem located on the remote host but mounted on my local server. Which sounds complicated at first but appeared to be really trivial thanks to two things: sshfs and encfs.
Sshfs lets you mount a remote file system using just an usual ssh connection, making it look like a part of the local file system. Encfs creates an encrypted filesystem on top of an other filesystem. Both run in userspace under linux.
The trick is to run encfs locally on top of the remote filesystem mounted locally with sshfs.
The following commands show how to do that on a debian:
// let's assume that I am user foo
// with uid=1000 and gid=1000
$ id
uid=1000(foo) gid=1000(foo) groups=...
// start by installing sshfs and encfs (as root)
# apt-get install sshfs
# apt-get install encfs
// configure the fuse module needed by encfs and sshfs
# modprobe -v fuse
# echo fuse >> /etc/modules
# usermod -a -G fuse foo
// as user foo, mount your remote home using sshfs:
$ mkdir ~/remotefs-encrypted
$ sshfs -o workaround=rename,uid=1000,gid=1000 \ foo@some.other.place.net:/home/foo/ ~/remotefs-encrypted
(enter password here or use shared keys)
// now initialize an encrypted filesystem located
// in foo@some.other.place.net:/home/foo/
$ mkdir ~/remotefs-clear
$ encfs ~/remotefs-encrypted ~/remotefs-clear
(the first time you will have to answer a few setup questions and provide a password)
// rsync whatever you want
$ rsync -avz --del ~/important-stuff ~/remotefs-clear
// then unmount
$ fusermount -u ~/remotefs-clear
$ fusermount -u ~/remotefs-encrypted
// note that you can script all this, even mounting
// the encrypted filesystem:
$ echo "SECRETPASSWORD" | encfs -S ~/remotefs-encrypted ~/remotefs-clear
UPDATE:
Well, after a few weeks of real-life trial it shows that this method is not stable enough. I keep stumbling on various bugs with both sshfs and encfs. At first, I had to use 'rsync --checksum' because encfs seemed to mess up timestamps. Later, it appeared sshfs causes IO errors when under heavy load from rsync (see http://osdir.com/ml/file-systems.fuse.sshfs/2006-10/msg00017.html). Conclusion: I am giving up this method for the time being. Hopefully this will get stable enough in some near future.
So I needed one more backup. Abroad.
A friend provided me with a ssh account on a server with a fat disk. But what if thieves grabbed my friend's drive? I would not want them to play with my cvs repository! So I needed the remote backup to be encrypted. An other friend came up with a brilliant suggestion: use an encrypted filesystem located on the remote host but mounted on my local server. Which sounds complicated at first but appeared to be really trivial thanks to two things: sshfs and encfs.
Sshfs lets you mount a remote file system using just an usual ssh connection, making it look like a part of the local file system. Encfs creates an encrypted filesystem on top of an other filesystem. Both run in userspace under linux.
The trick is to run encfs locally on top of the remote filesystem mounted locally with sshfs.
The following commands show how to do that on a debian:
// let's assume that I am user foo
// with uid=1000 and gid=1000
$ id
uid=1000(foo) gid=1000(foo) groups=...
// start by installing sshfs and encfs (as root)
# apt-get install sshfs
# apt-get install encfs
// configure the fuse module needed by encfs and sshfs
# modprobe -v fuse
# echo fuse >> /etc/modules
# usermod -a -G fuse foo
// as user foo, mount your remote home using sshfs:
$ mkdir ~/remotefs-encrypted
$ sshfs -o workaround=rename,uid=1000,gid=1000 \ foo@some.other.place.net:/home/foo/ ~/remotefs-encrypted
(enter password here or use shared keys)
// now initialize an encrypted filesystem located
// in foo@some.other.place.net:/home/foo/
$ mkdir ~/remotefs-clear
$ encfs ~/remotefs-encrypted ~/remotefs-clear
(the first time you will have to answer a few setup questions and provide a password)
// rsync whatever you want
$ rsync -avz --del ~/important-stuff ~/remotefs-clear
// then unmount
$ fusermount -u ~/remotefs-clear
$ fusermount -u ~/remotefs-encrypted
// note that you can script all this, even mounting
// the encrypted filesystem:
$ echo "SECRETPASSWORD" | encfs -S ~/remotefs-encrypted ~/remotefs-clear
UPDATE:
Well, after a few weeks of real-life trial it shows that this method is not stable enough. I keep stumbling on various bugs with both sshfs and encfs. At first, I had to use 'rsync --checksum' because encfs seemed to mess up timestamps. Later, it appeared sshfs causes IO errors when under heavy load from rsync (see http://osdir.com/ml/file-systems.fuse.sshfs/2006-10/msg00017.html). Conclusion: I am giving up this method for the time being. Hopefully this will get stable enough in some near future.
