Jun 02, '08 07:30:00AM • Contributed by: mikebremford
The solution is to use EncFS on the server. This ensures files are stored encrypted (the password is stored in a file on the client, safely inside the FileVault protected home directory). Only SSH access to the server is required, no special encrypted volume is used (so the encrypted backup can easily be backed up itself), and root access is only required to install EncFS and add the user to the correct group. Here's what you need to do:
- Set up a user account on the server, and ensure you can log in from the client with SSH using a public key with no password.
- On the server, install EncFS. You will need at least version 1.4.
- On the server, ensure each user that will be backing up is a member of the "fuse" group, eg. usermod -a -G fuse mike
- If you want to back up files with resource forks or extended attributes, make sure the client and server are both running rsync version 3.0 (version 2.6.3 is included in 10.5). This compiles easily for OS X -- just download, ./configure and make, then put the rsync binary somewhere in your path. Do the same on the server.
So, for example, to back up a user called "mike" on the host "macbook", do:
bash$ encfs /mnt/backup/.mike@macbook /mnt/backup/mike@macbook.local
The directory "/mnt/backup/.mike@macbook" does not exist. Should it be created? (y,n) y
The directory "/mnt/backup/mike@macbook" does not exist. Should it be created? (y,n) y
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>
Standard configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password: *****
Verify Encfs Password: *****
Now on the client, create a folder (we use $HOME/bin/backup), cd into it, and run the following command: echo secret > password; chmod 600 password, where secret is the password you used on the server. Then save the following file as backup, and chmod 755 backup (remember to change the host and path):
What this script does is:
- Check to see if the machine set by REMOTEHOST is on the local network and not too busy.
- If the file password is readable, use its contents as the password to mount the encrypted filesystem on the server.
- Run rsync to back up the users home directory over ssh to that folder. The file EXCLUDES contains a list of folders that will not be backed up - man rsync for more details on this.
- When the backup is complete, the encrypted folder will be automatically unmounted shortly thereafter.
- All output is written to the logs folder, and notices about the backup are sent to the system logger.
0 13 * * 1-5 $HOME/bin/backup/backup
To access the backed-up files on the server, simply log on and run encfs /mnt/backup/.user@hostname /mnt/backup/user@hostname. Enter your password and the files can be recovered.
[robg adds: I haven't tested this one...]
