Encrypting home dir and making encrypted backups

Today I would like to describe two things. Encryption of the home directory in Linux using eCryptfs and how you can make incremental backups of your home directory to the cloud and sync it between different computers in a secure manner using CLI tool duplicity.

Encrypting home dir

I would suggest to have enabled encryption of your home directory, so when you are not logged in - your home dir can not be read if someone get a physical access to your computer. A package eCryptfs helps to achieve this. eCryptfs uses your password to cypher your home dir and stores it in its own directory in encrypted format. After logging in, it mounts deciphered contents of your home dir to /home/YourUserName. Everything works transparently and does not affect backuping (we read/write files after they being decrypted).

To enable encryption, run the following command under another user with the root privileges on the same machine:

ecryptfs-migrate-home -u <YourUserName>

Carefully read the output of this program. It will create unencrypted backup copy of your home dir in /home/YourUserName.something You need to login as the user with encrypted home before rebooting. After logging in, you can clean-up the backup. Additionally, after log in your are asked to run:

ecryptfs-unwrap-passphrase

This command will print the passphrase required to mount your home dir in the manual mode (when you are not able to login to your device). Since we are doing backups we are not afraid to loose access to our data on a particular device, but at the same time encrypted home dir is an additional layer of security, that will give you peace of mind.

Creating encrypted backups

You need to have a pair of public/private key for your backups. You encrypt backups using the public key, that means only the person who has the private key from this pair (only you) can decipher the data. duplicity works with GPG. So to create the key pair:

gpg --gen-key

I would protect the private key with a passphrase and add the comment that it’s for backups. Also I would store it on some USB flash drive (copy ~/.gnupg).

To get the id of the generated public key:

gpg --list-keys

(It should be after the slash in the corresponding “pub” line).

duplicity works with numerous destinations, here I will give only two examples - one for a locally mounted flash drive and one for a remote server with ssh access.

Here are two examples:

To a server:

duplicity --encrypt-key <YourPublicKeyIdr> --exclude /home/<YourUserName>/.cache /home/<YourUserName> scp://root@<YourServer//root/backups/home/>

To usb flash drive:

duplicity --encrypt-key <YourPublicKeyId> --exclude /home/<YourUserName>/.cache /home/<YourUserName> file:///media/<path_to_usb/backups/home>

That’s it. During the first run against some destination duplicity will take some time to create a full backup, but the next time it will upload only the difference.

Recovering from backups / syncing

To get the backup in some local dir just run:

duplicity <backupUrlr> <localDir>

The complete recovery/sync script might look like this:

set -e

rm -rf /home/YourUserName/restoration_bckup

echo "Running duplicity $1 /home/YourUserName/restoration_bckup"
duplicity "$1" /home/YourUserName/restoration_bckup/

echo ""
echo "Consider deleting these files and directories after:"
echo ""
diff -r -q /home/YourUserName /home/YourUserName/restoration_bckup | grep -v "/home/YourUserName/restoration_bckup"


while true; do
    read -p "Do you want to sync home with the backup? " yn
    case $yn in
        [Yy]* ) rsync -avu "/home/YourUserName/restoration_bckup/" "/home/YourUserName/" ; break;;
        [Nn]* ) exit;;
        * ) echo "Please answer y or n.";;
    esac
done

rm -rf /home/YourUserName/restoration_bckup

It takes the URL of the backup as an argument, extracts the backup to a separate folder and then rsyncs it to the home dir. With the specified options rsync will not overwrite local files if they have newer modification time, also without --delete option rsync does not delete extraneous files from the dest dir.

Reminders to make backups

Its a good idea to make backups regularly, you can use a cron job for this, but I prefer to have just reminders and launch the backup script manually, so I always remember when I had the last backup and if it was is unsuccessful for any reason.

An example for reminder script that you can invoke from your .bashrc:

dow=$(date +%u)
if  [ $dow -eq 1 ]
then
  echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
  echo "::Its time to make a backup! See: ~/scripts/backuping/::"
  echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
fi

Here “1” means - Monday, so every Monday bash will remind you that its time to run a backup script.

So these one-liners, some free software, usb flash, and a rented server are all you need. Just keep your flash drive with the keys in some safe place, remember your passphrase, launch backups regularly and have less worries.