We wanted to use EncFS to be able to store encrypted backups.
The requirements for that are:
- The backup server initiates the backup. That's where we configure which hours are safe (resource wise) and which files need backing up (etc, home, root, srv, ...). And it means the backup server can safely be placed behind a gateway disallowing all incoming connections.
- The backup server cannot know the passwords of files. This means that the file providing server will have to do the encrypting.
As I wrote earlier EncFS is willing to encrypt files on the
fly. So, with a
sshd_config chroot hackery, and a
--reverse encrypted mount
/.encbackup/data we have an rsync entrypoint to get daily
backups. The backup server only ever has access to encrypted files, so
privacy is guaranteed.
Just one problem!
/.encbackup/data now contains encrypted versions of
and so on...
... but also of
/.encbackup and it's subdirectories!
And you guessed what's in there; that's right, an infinitely recursing
/.encbackup/data/.encbackup/data/.encbackup/data... which will
ncdu / or locate
updatedb to break. (Actually,
it's worse, because file accesses would hang, crippling the mount point
encfs (1.7.4-2.4.osso0) unstable; urgency=low * Added upstream_pull125-inf_recursion_check.patch to fix infinite recursion. -- Walter Doekes <wjdoekes[AT]osso.nl> Thu, 12 Nov 2015 14:11:23 +0100
The lazy can get the deb-archive here: encfs_1.7.4-2.4.osso0_amd64.deb
md5sum of encfs_1.7.4-2.4.osso0_amd64.deb: e02f423f3611b22f132b1b9a450d7042943d1a06 sha256sum of encfs_1.7.4-2.4.osso0_amd64.deb: c5923498f69d5cd6520ec81df29d46cea754edd2f10fea049af7588cb3ce7916 tthsum of encfs_1.7.4-2.4.osso0_amd64.deb: TGTKIRSQAW6Q2PYX2GE2HCBCKYROF6CXB6OZGXI