Backup strategy for eCryptfs

Solution 1:

Are you sure that /home/.ecryptfs/A is locked for reading? I use ecryptfs and while I'm logged in and can browse and read the files in /home/.ecryptfs/myusername/.Private. I just tried going into that directory (and sub-directories) and opening files (using vim -b) and I could read them fine. I'd certainly want them locked for writing, but I don't see why they'd be locked for reading. What OS version are you using? (I'm on Ubuntu Lucid 10.04). Maybe ask a separate question about errors you're getting, because maybe something else is causing the problem.

To directly answer your question - back up the contents of /home/.ecryptfs/. This will backup (encrypted copies of) all the files for all users.

In addition you ought to be able to decrypt the files if necessary. So you should store the unwrapped passphrase somewhere secure, in case the user forgets their password, leaves ... To obtain it, have the user run

ecryptfs-unwrap-passphrase

while logged in, and store the result somewhere. It's small enough that you could write it down (double triple check it) and store it in a safe, or have two people keep half of it each or some such, depending how much security you require.

Otherwise you would need /home/.ecryptfs/*/.ecryptfs/wrapped-passphrase and the users' passwords.

You should also note that rsync won't be able to speed up file transfers when syncing encrypted data. Any change in the unencrypted file will completely change the encrypted file. And compression won't really work with encrypted data. This shouldn't be a big issue for your case, where the sync is across a LAN, but may be important for other people reading this question. Though rsync can still check if an encrypted file is unchanged, so it won't have to re-transfer unchanged files.

Readers of this question might also be interested in this guide to backing up by the maintainer of ecryptfs.

Solution 2:

Presumably the passphrase of the user not present is absolutely needed for decryption. Hence your only option is to look for a solution that backs up encrypted files, and use this for both users. This has the advantage that the apparently confidential information is also encrypted on the backup media - which can be important if you're transferring it around the place (for offsite).

I'm not familiar with ecryptfs but it sounds like the files are standard files when viewed by the underlying filesystem (at a guess ext3).

So, 1) Is the 'original' directory that contains the encrypted data actually somewhere else, and then mounted so that the unencrypted version appears at the location you've given - in which case you could just get the encrypted data from the original location. Some of the ubuntu documentation suggests that the unencrypted private files are what you see in /home/.ecryptfs/A/Private and their encrypted counterparts are actually present in /home/.ecryptfs/A/.Private. If so, and you use rsync you will have the encrypted .Private directory for both users anyway, and for clarity you could use the exclude options of rsync to prevent backup of the unencrypted Private directory.

2) Alternatively, you question reads a bit like the entire folder A (or B) is encrypted, and possibly the unecrypted and encrypted versions mount at the same location. If so, could you try something like mount -o ro --bind /home/.ecryptfs/A /mnt/encryptedA which would provide another access point to A's directory via /mnt/encryptedA. If this was done before user login then possibly you'd retain access to the encrypted version via /mnt/encryptedA even while /home/.ecryptda/A gives access to the unencrypted version. I don't know whether this will work - you'd just have to try it and see.