Sync confidential files between unixes using cloud storage and encfs

Updated . Posted . Visible to the public. Deprecated.

Encfs is no longer considered secure for this usecase!

Note: You might also want to check out BoxCryptor Show archive.org snapshot which does pretty much the same, and is supported across many more platforms. I just didn't want to use Dropbox...

I use Ubuntu One to automatically sync confidential files between my machines. The encryption is done via encfs, which is a file-based encryption that simply puts encrypted versions of files from one folder into another. This is well-suited for cloud storage, since it allows syncing single files, not whole crypt containers.

Recipe

I'll assume your local home directory is already secure, and the folder we'll sync is ~/sync. You can set it up like this:

  • Sign up with Ubuntu One (found under SystemSettings on a ubuntu box) or any other cloud storage. We assume the synced folder is ~/Ubuntu One

  • Create a folder holding your encrypted data in your cloud storage folder:
    mkdir ~/Ubuntu\ One/encrypted

  • Create a random keyfile
    dd if=/dev/urandom of=~/.sync.key bs=256 count=1
    chmod 600 ~/.sync.key

  • Put this script (let's call it mount-ubuntu-one-sync) somewhere on your path:
    #!/bin/sh

    mkdir -p ~/sync
    
    KEYFILE=~/.sync.key
    encfs --extpass="cat $KEYFILE" ~/Ubuntu\ One/encrypted ~/sync
    
  • Run mount-ubuntu-one-sync once. It should ask you for some encfs settings; just press ENTER.

  • Test it by putting some file into ~/sync. An encrypted version of your file should show up in ~/Ubuntu One/encrypted

  • Distribute the script and your keyfile to all your machines. Remember to keep the keyfile secure (take care of the permissions!).

  • Put the mount script somewhere in your startup scripts. On Gnome, run gnome-session-properties, and just add it there.

Caveat

Ubuntu One (and Dropbox) do not sync file permissions, so on your other machine, files will end up with incorrect permissions.

This is annoying, but not a security risk, since everything in the ~/sync folder is only readable for the user that mounted it.

Tobias Kraze
Last edit
Tobias Kraze
License
Source code in this card is licensed under the MIT License.
Posted by Tobias Kraze to makandra dev (2012-05-25 12:48)