Encryption for online backup services

[manosx]

This is a guide on how to use encryption with the encfs in online backup services like dropbox and Ubuntu one. I guess it can be used for other online backup services.
Encfs is used because it is pass through. This means that the encryption is happening per file, allowing us to change files without the need to upload the hole block device.
The block device is represented as a file. When using this method, of one block device, the online backup service sees only that file, resulting uploading the hole file again for a small change (changing a file of some KB for example).
(I am not aware if a service does this 'byte wise' or 'block wise', that is to upload only the changes.

The instructions:
1. Set up the online back up service, I will use as example Ubuntuone.
Create the account in ubuntuone website and install the client.

Code:

sudo apt-get install ubuntuone-client

2. Install encfs and fuse-utils (fuse-utils allows userspace programs to export a virtual filesystem).

Code:

sudo apt-get install encfs fuse-utils

3. Create the directory that you want to be encrypted in the online backup service directory and the directory you want to see the unencrypted data. (the second will not be in the backup service directory of course!)

Code:

cd ~
mkdir Ubuntu\ One/encrypted/ 
mkdir Ubuntu_secure/

4. Create the partition.

Code:

encfs /home/[your username]/Ubuntu\ One/encrypted/ /home/[your user name]/Ubuntu_secure

Change [your username] with your username!
The first time it will create the filesystem and it will ask you for a password (twice).
Every other time, this command will mount your partition asking you your password (once).
You can now see a new device. Copy you data there and see the folder ~/Ubuntu One/encrypted/ to fill with encrypted data!

5. To unmount the volume you do:

Code:

fusermount -u /home/[your username]/Ubuntu_secure

In any other system you go and set up the online backup service, you will have your files encrypted. You need to have encfs and fuseutils installed. Encfs will see the encfs6.xml (maybe other name in other systems), and mount the partition providing the correct password.

Do it automatic with a script!
You can mount/unmount the encrypted data automaticly with a script!
The script:

Code:

#!/bin/bash
volume="/home/[your username]/encrypted"
if [ -d $volume ]; then
	if mount | grep "on $volume type" > /dev/null; then
		fusermount -u /home/[your username]/Ubuntu_secure
		echo "Drop Box encrypted partition unmounted"
		sleep 1
	else
		encfs /home/[your username]/Ubuntu\ One/encrypted/ /home/[your username]/Ubuntu_secure
		echo "Drop Box encrypted partition mounted"
		sleep 1
		fi
else
	echo "Directory doesn't exist, do: mkdir $volume"
	sleep 2
fi

Copy this code in a file ubuntuone.sh in your home directory for example. Change it to your needs. Make the script executable:

Code:

cd ~
chmod +x ubuntuone.sh

The script checks if the volume is mounted. If it is, it unmounts it. If it's not, it mounts it (will ask you for password).
If the mount point doesn't exist, it will tell you how to create it.
You run it by double clicking and selecting 'Run in terminal', or from the console with

Code:

cd ~
sh ubuntuone.sh

Call the script from a launcher
You can also make an application launcher in gnome panel to run your script. The command of the launcher can be:

Code:

xterm -geometry 45x3+0+0 -bg black -fg red /home/manos/ubuntuone.sh

The option -bg is the background colour and -fg the characters colour. In the -geometry is the placement/size of the window, this is top left.
For more information on how to run xterm the way you like it:

Code:

man xterm

[pascal91]

This can be done with a GUI tool like cryptkeeper. First, install it :

Code:

sudo apt-get install cryptkeeper

Then, launch cryptkeeper (in system tools category) or add it to started up applications.
Finally, use the cryptkeeper icon displayed in the notification area ("system tray") to define some encrypted folders and mount/unmount them.

[manosx]

With cryptkeeper you can do the hole thing through a GUI!
Very nice tool

[thebear78]

Interesting. My concern is how have you found synchronization to other computers functioning with this method? Is the encrypted data usable if you encrypt on computerA, sync up to Ubuntu One, and sync down to computerB? What about sharing folders with others? Seems like this only gives you an encrypted backup in the cloud for a single computer. I could be wrong though. Thanks.

[manosx]

Actually the encfs is checking the file .encfs6.xml in the encrypted directory. I have three computers that i share data between. One of them have no access to fast Internet.
I encrypted the data in one computer.
The second computer synchronized. It took also the file .encfs6.xml, then i encfs-mount it correctly.
I copy the hole encrypted dir to the computer with the slow Internet with other means(external hard disk). When it went online it synchronized without downloading the files.

I also checked having it mounted to two locations (I mean dropbox working and mounted with encfs). I could write/delete files from one point and the other synchronized.

[micdhack]

With cryptkeeper you can do the hole thing through a GUI!
Very nice tool

I configured everything through the gui although there is one problem. I don't know how i can change the mount directory to be outside the Ubuntu one directory.

Update: i found a way. At first you use the commandline encfs to create the folder and then you import it. The cryptkeeper will prompt you to enter the mount directory.

[Nisal]

nice in4 thanks

[Despot]

Thanks for the tutorial. As noted by micdhack, if you use cryptkeeper, it's important to define things manually first so that things end up in the right spots. Maybe an update to the original tutorial would be worthwhile?

This might help somebody else: I've been messing around with the folder structure in Ubuntu One a bit (particularly, I've been experimenting with whole-folder encryption by replacing the Ubuntu One folder with a symlink to an encrypted folder), and occasionally it seems to get the sync daemon a bit confused. Logging out and logging in again seems to fix things right up, and I imagine restarting the daemon would have the same affect.

[duanedesign]

This is a very interesting thread. Thanks manosx and others who have contributed to this thread.

[igorlopez]

Thanks for the good explanations.
I have a question on how it is supposed to work.

Scenario:
I have two PC that I would like to share encrypted files between using Ubuntu One.

What I did was to create an encrypted folder with encfs inside the Ubuntu One folder as explained by manosx. This was done on both computers.
Both PC's folders (encrypted) are synced as expected but I do not understand how to set it up such that the Ubuntu_secure folder is automaically updated, i.e I would like to work with the decrypted file in Ubuntu_secure.

Sorry for such a dumb question.