Encrypted Backups Part 2

After a bit of playing with the encrypted backup stuff described in my previous post I decided to expand on the the idea and created a script the will look for "backup.lst" in the home directories of all users who of members of a backup group.

If the file is found then each line in it is treated as a file path to be backed up with rsync. The script follows, its in the public domain so help yourself, if its useful please comment here :-)

#!/bin/bash

# this script will scan the home directories of all users in the
# group "backup" and look for a folder "Backup". If this folder
# exisits files in it will be backed up remotly

DESTIN=/home/local-user-name/Crypt
REMOTE=/home/local-user-name/Remote/
SERVER=remote-server:
RUSER=remote-user-name

sshfs $RUSER@$SERVER $REMOTE
encfs --extpass=/home/local-user-name/extpass.encfs $REMOTE/crypt $DESTIN

IFS=$','
USER_LIST=`grep ^backup /etc/group | cut -d: -f4`

for USR in $USER_LIST; do
if [ -f /home/${USR}/backup.lst ]; then
LOGFILE=/home/${USR}/backup.log
echo "Starting backup at `date`" >> $LOGFILE
echo "Working for" /home/${USR}/backup.lst >> $LOGFILE
if [ ! -d ${DESTIN}/${USR} ]; then
mkdir ${DESTIN}/${USR}
fi

IFS=$'\n'
for F in $(cat /home/${USR}/backup.lst); do
rsync -v -a --delete /home/${USR}/${F} $DESTIN/$USR/ >> $LOGFILE
done
echo "Backup done at `date`" >> $LOGFILE
chown ${USR}:users ${LOGFILE}
fi
done

fusermount -u $DESTIN
fusermount -u $REMOTE

The script makes use of a second helper script that provides the password for encryption so that everything can be run automatically via cron.

#!/bin/sh
# extpass.encfs

echo "my-crypto-pass"

Summary results of the backup are written into a file called "backup.log" in each users home folder that contained a "backup.lst" file.

Encrypted Backups with rsync and FUSE

Recently I set up a backup solution between my home server and a friends. However, I decided that I really needed to keep my data as safe as possible when its out of my direct control. Being the paranoid person I am, that meant encryption.

Introducing rsync.
rsync is a very handy command that works on its own as a capable backup solution. It's designed to copy only the minimum about of data to represent changes to the files you wish backed up. Combined with ssh this allows a secure remote backup system that minimises bandwidth usage.

Adding encryption.
Encryption by its very nature will try to obscure the data your dealing with, a small change to part of a single file can result in every byte of that file being changed. If your working with encrypted disk images, then this could mean that every part of the image is changed. This property is great for strong encryption but completely destroys rsyncs ability to detect changes and minimise bandwidth. This can result in huge amounts of data being transmitted every time you backup even a minor change.


FUSE to the rescue.
FUSE ( File system in USEr Space ) is a fantastic project that makes it easy to implement new and interesting utility file systems, it also allows the use of these file systems as a regular user with out the need for root level access. Two file systems built using FUSE are Sshfs and Encfs. Sshfs allow the mounting of a remote file system via an ssh link to the machine. Encfs is an ecrypting file system, it allows mounting of an encrypted source directory to some destination. Any files writen into the destination directory will be encrypted and stored in the source directory.

With these two components with have everything we need to use rsync with encryption effectively. First we use sshfs to mount the remote file system

sshfs remote_user@remote_server: /home/local_user/backup

then we use encfs to mount a folder within the remote file system to a second local folder.

encfs /home/local_user/backup/encrypted /home/local_user/clear

finally we tell rsync to backup files as if to a local folder and point it at our encfs mount point.

rsync -v -a --delete /home/local_user/stuff_to_backup /home/local_user/clear

and there we go. rsync will do its job and write only the minimum bytes to represent the changes, encfs will encrypt this, and finally sshfs will tunnel it all to the remote server. The exact bandwidth usage will depend on how encfs encrypts its files. After your done, unmount sshfs and encfs with the thus

fusermount -u /path/to/mount_point

A better solution would be to mount the encfs folder on the server side before using rsync via sshfs. However that would require having fuse and encfs installed on the target server.