27

I selected /home/ to be encrypted when I was installing Ubuntu. Now, is it possible to make locate work with an encrypted partition like this?

m33lky
  • 873
  • I have the same problem - locate will find files outside of my encrypted home partition but cannot see them inside it. (To be honest, I wish I'd never encrypted it when I installed Ubuntu in the first place, with all the problems I've had with it!) Please can someone explain in clear steps what I need to do to be able to make locate be able to index data on an encrypted home partition. I'm a relative newbie so it's not obvious what to do from reading the above:). –  Feb 19 '11 at 14:40
  • 5
    Your /home is a virtual file system (ecryptfs). It is "mounted" as an accessible partition when you log in. Check your /etc/updatedb.conf and a) remove ecryptfs from ignored file systems (PRUNEFS) b) change to PRUNE_BIND_MOUNTS="no" – m33lky Feb 26 '11 at 03:56
  • 4
    After that you can run sudo updatedb to index new files. – m33lky Feb 26 '11 at 04:03
  • 1
    keep in mind that the database locate uses lives in unencrypted space, possibly compromising your encryption by disclosing filenames – Florian Heinle Feb 27 '11 at 12:59

3 Answers3

30

I both "run locate (updatedb) when I'm logged in", as mentioned above, and I keep my part of the locate database under my encrypted $HOME. 

export LOCATE_PATH="$HOME/var/mlocate.db"

and then I index the files in$HOME with 

updatedb -l 0 -o $HOME/var/mlocate.db -U $HOME

Now I have a complete index of $HOME but the database isn't visible unless $HOME is mounted and decrypted.

Amanda
  • 9,333
waltinator
  • 36,399
  • That's a nice solution. How did you migrate your db there? – m33lky Jan 08 '12 at 23:51
  • 4
    I didn't. I just generated a db for my (encrypted) home tree, with updatedb -l 0 -o $HOME/var/mlocate.db $HOME. man locate says it will search the default database (/var/lib/mlocate/mlocate.db), then the list of databases in $LOCATE_PATH. – waltinator Jan 09 '12 at 06:46
  • 3
    Don't "remove ecryptfs from the PRUNEFS definition in /etc/updatedb.conf. When you're logged in, /home/$USER is decrypted, but the encrypted files and filenames in /home/$USER/.Private should be ignored. When your $HOME is not mounted, others won't have access to the db or the (unencrypted) files of filenames. – waltinator Jan 09 '12 at 07:13
  • 2
    updatedb -l 0 -o $HOME/var/mlocate.db $HOME there is missing -U it should be updatedb -l 0 -o $HOME/var/mlocate.db -U $HOME – destan Mar 22 '12 at 12:17
  • 2
    My bad, @destin I've extended my method to index removeable media, too, using Steve Collyer's bash_path_funcs ( http://www.linuxjournal.com/article/3645 ). With the removeable medium mounted (as /media/_name_) I do updatedb -l 0 -o ~/var/mlocate/_name_.db -U /media/_name_

    In my .bashrc, I have

    `export LOCATE_PATH="$HOME/var/mlocate/mlocate.db`  

`for i in $HOME/var/mlocate/*.db ; do`  

    `addpath -p LOCATE_PATH $i`  

`done`  

`uniqpath -p LOCATE_PATH`

    and locate can show me filenames even when the medium is NOT mounted.

     – waltinator Mar 23 '12 at 04:42
  • What is the best place to add these lines to automate running the updatedb regularly when I'm logged in? – Ossi Viljakainen Sep 21 '16 at 10:15
  • @Ossi-Viljakainen: 2nd questions belong in their own question, so later users can find it. – waltinator Sep 23 '16 at 01:20
  • This works. However, how to inform mlocate to use the new mlocate.db database file? I now rely on the option -d i.e.: mlocate -d ~/var/mlocate.db the_file_i_want.txt – Martien Lubberink Mar 04 '18 at 22:15
  • @MartienLubberink 2nd questions belong in their own question, so later users can find it. – waltinator Mar 04 '18 at 23:30
  • See also this addition to .bashrc: https://unix.stackexchange.com/questions/428143/changing-the-default-database-for-locate-and-mlocate/428345#428345 – Martien Lubberink Mar 05 '18 at 18:57
3

How about running updatedb when your file system is decrypted and try to match environment variables to read/write it?

After reading the man page, add two variables to your BASH RC file.

man locate
echo "export LOCATE_PATH=$HOME/var/lib/mlocate/mlocate.db:$LOCATE_PATH" >> ~/.bashrc
echo "export DBPATH=$HOME/var/lib/mlocate/mlocate.db:$DBPATH" >> ~/.bashrc

Make the directory specified above and add $username to the mlocate group.

mkdir -p ~/var/lib/mlocate/
sudo usermod -a -G mlocate $username

Log out and in again to count your user in the mlocate group and get the new environment variables. Now when you run,

updatedb -o $LOCATE_PATH

are the decrypted files in a locate database now? Or, what did you do to make it work or better?

You may also want to add updatedb to user's crontab. First run:

crontab -e

And add the following line:

0 12 * * * updatedb -o $HOME/var/locate
mgajda
  • 3
  • See my comment to Martin. I'm trying to understand if there are any security considerations or proper configuration was just overlooked by Ubuntu. – m33lky Jan 10 '11 at 00:23
  • Because of ecryptfs being listed in the PRUNEFS variable at /etc/updatedb.conf, you probably also need to use --prunefs "nfs" . This seems to be a good solution because it stores and updates the a per user index from the user profile. – João Pinto Jan 10 '11 at 23:40
  • @m33lky The issue is this: you have asked to encrypt your homedir, so nobody (not even root!) can read it without the password. The smart solution is a per-user locate database. The easy solution for a single-user machine is to remove ecryptfs and scan when you are logged in. In the future, perhaps locate could aggregate results from the global DB and the current user's home DB. – joeytwiddle Jun 22 '13 at 12:29
2

It's not really possible to update the database index without being logged in. You should log in and run the updatedb command.

Check your config in /etc/updatedb.conf. Remove ecryptfs from PRUNEFS and probably /home/.ecryptfs from PRUNEPATHS. Don't forget to run sudo updatedb after.

Pablo Bianchi
  • 15,657
Martin Owens -doctormo-
  • 20,060
  • 1
    updatedb.conf prunes ecryptfs. Also, PRUNE_BIND_MOUNTS="yes". I'm trying to understand the reasoning behind such defaults as this is not user-friendly to have results from /home missing in your searches :) – m33lky Jan 10 '11 at 00:21
  • I'm guessing the functionality for home is to have a per user indexer... but that's speculation. – Martin Owens -doctormo- Jan 10 '11 at 04:31
  • Without encryption /home gets indexed, so I expect the same behavior... – m33lky Jan 10 '11 at 04:34
  • Then figure out how to make a global index of an encrypted partition that doesn't count as a security breach. You're asking for the logically impossible. – Martin Owens -doctormo- Jan 10 '11 at 04:42
  • You're making up an impossible problem. Encrypting the db would do just fine. – m33lky Jan 12 '11 at 06:52
  • 1
    I was describing the situation from the user interface perspective. – m33lky Jan 12 '11 at 06:54
  • 2
    If you encrypted the entire disk, this wouldn't be an issue, if you only had a home encryption then you now need to start indexing per user and using each individual encryption... in fact you might as well just stash the home index in the user's home folder.... all of which is major development and cost for something most users never see. Please report the bug against the locate database tools project. – Martin Owens -doctormo- Jan 12 '11 at 07:06