We wanted to use EncFS to be able to store encrypted backups.

The requirements for that are:

  • The backup server initiates the backup. That's where we configure which hours are safe (resource wise) and which files need backing up (etc, home, root, srv, ...). And it means the backup server can safely be placed behind a gateway disallowing all incoming connections.
  • The backup server cannot know the passwords of files. This means that the file providing server will have to do the encrypting.

As I wrote earlier EncFS is willing to encrypt files on the fly. So, with a bit of sshd_config chroot hackery, and a --reverse encrypted mount of / onto /.encbackup/data we have an rsync entrypoint to get daily backups. The backup server only ever has access to encrypted files, so privacy is guaranteed.

Just one problem!

/.encbackup/data now contains encrypted versions of /etc, /home and so on...
... but also of /.encbackup and it's subdirectories!

And you guessed what's in there; that's right, an infinitely recursing loop of /.encbackup/data/.encbackup/data/.encbackup/data... which will cause any find /, ncdu / or locate updatedb to break. (Actually, it's worse, because file accesses would hang, crippling the mount point completely.)

EncFS could be patched rather quickly and for our Debian/Wheezy machines (and others who use 1.7.4), we got upstream_pull125-inf_recursion_check.patch (view) with this changelog:

encfs (1.7.4-2.4.osso0) unstable; urgency=low

  * Added upstream_pull125-inf_recursion_check.patch to fix infinite recursion.

 -- Walter Doekes <wjdoekes[AT]osso.nl>  Thu, 12 Nov 2015 14:11:23 +0100

The lazy can get the deb-archive here: encfs_1.7.4-2.4.osso0_amd64.deb

md5sum of encfs_1.7.4-2.4.osso0_amd64.deb:
  e02f423f3611b22f132b1b9a450d7042943d1a06
sha256sum of encfs_1.7.4-2.4.osso0_amd64.deb:
  c5923498f69d5cd6520ec81df29d46cea754edd2f10fea049af7588cb3ce7916
tthsum of encfs_1.7.4-2.4.osso0_amd64.deb:
  TGTKIRSQAW6Q2PYX2GE2HCBCKYROF6CXB6OZGXI

recursion encfs