eCryptfs

Back up of encrypted home dir of logged users impossible

Bug #365596 reported by Milan Knizek

This bug report was converted into a question: question #68551: Back up of encrypted home dir of logged users impossible.

8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eCryptfs
Invalid
Undecided
Unassigned

Bug Description

Once the user logs in, the $HOME/.Private is replaced by decrypted files, effectively hiding the encrypted ones.

This seems to me as a design error. The .Private directory should be outside of user's home directory to allow for backup of a live system with users logged in (no matter that this is not recommended due to possible on-going changes to the file system).

Ubuntu 9.04 amd64. Affects adduser --encrypt-home and possibly ecryptfs-setup-private --all-home

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Actually, it is possible to get to your encrypted data!

Try this:

 $ umount.ecryptfs_private && cd $HOME/.Private && mount.ecryptfs_private

This should momentarily unmount your home (or private) directory, put you in your encrypted directory, and then remounted (as quickly as possible).

This is how I backup my encrypted data!

:-Dustin

Changed in ecryptfs:
status: New → Invalid
Revision history for this message
Milan Knizek (knizek) wrote :

Interesting, I did not know that this is possible and it seems to work also with a running gnome session.

However, I wonder if the same can be done by a cron job to do the backup - I guess the cron job (run as root) does not have access to keyrings of the logged users (I have a multi-user environment). I'll try it later.

Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 365596] Re: Back up of encrypted home dir of logged users impossible

Note that root could establish a bind mount of your .Private
directory, if he wished.

Perhaps do something like this:
 # mkdir /home/.$USER
 # mount -o bind /home/$USER/.Private /home/.$USER

:-Dustin

Revision history for this message
Rafał Błaszczyk (rblaszczyk) wrote :

Dustin - you cannot do that, user is logged in and the /home/$USER/.Private is not visible (it's overmounted). Your solution with unmounting is also not good enough - there is a good chance user is using some files and you cannot unmount.

There's an easier solution. You can mount /home in another directory using --bind option. The default behaviour of bind doesn't mount the submounts so you can easily access .Private dirs in home directories.

To do that I use /etc/fstab line:
/home /home-bind none ro,bind

now I have all home directories visible inf /home-bind as the user weren't logged in (they are not overmounted). Read-only - just enough for backup (you can make that rw for further restores).

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Rafał-

This is what I meant, when I wrote:
> Note that root could establish a bind mount of your .Private
> directory, if he wished.

I really like your solution, though. Bind-mounting all of /home
read-only is very elegant! This is something I might look into for
Karmic.

:-Dustin

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.