Search code examples
encryptionbackuprestoreecryptfs

securely restoring an ecryptfs encrypted backup

I'm using ecryptfs to backup the entire contents of my Ubuntu box to an external hard drive enclosure. I've followed this guide and have things properly backing-up and encrypted as I want.

That's all well and good until I have to actually use the encrypted backup, and that's got me wondering. In the event that I lose my entire primary hard drive, what files/info should I readily have access to in order to de-crypt my backup? Besides the options used to setup the initial encryption, are these the only two things I need:?

  • passphrase
  • sig key
Solution

  • For a backup, you might just need to remember the passphrase and the options you used to set up the encrypted folder, so everything in the example page you linked:

    To see the files again, just mount the directory with ecryptfs filesystem.

    # mount -t ecryptfs /home/sk/unixmen/ /home/sk/unixmen/

Select key type to use for newly created files:
1) tspi
2) passphrase
Selection: 2 <---- Type 2 and press enter
Passphrase:  <---- Enter the passphrase
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: <---- Press Enter
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: <---- Press Enter
Enable plaintext passthrough (y/n) [n]: <---- Press Enter
Enable filename encryption (y/n) [n]: <---- Press Enter
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=5c116acdf1d0dd89
Mounted eCryptfs

    The ecryptfs_sig is derived from the passphrase, so is really just to verify you've entered the right passphrase, not really essential to the mount command.

    I can't say I like the "Add your passphrase in this file" part of the automatic mount section, detracts from the security by having the passphrase in plain text. Your system can use eCryptFS & PAM to automatically mount encrypted folders on login, using your login passphrase to "wrap"/encrypt the eCryptFS key. See man ecryptfs & the man pages for it's tools, like ecryptfs-setup-private