2

If I have two folders E en D and a passphrase P, in a typical ecryptfs setup I would something like this:

  • I setup folder E to be the encrypted version of folder D, using passphrase P to do the encryption/decryption.
  • Folder E stores the actual data to disk, encrypted.
  • Folder D is my live interface as a user, representing the data to me, decrypted on the fly.

But, can I also use this the other way around?

  • I still set up folder E as the encrypted version of folder D, using passphrase P as the key for encryption.
  • However, I interact directly using folder E. Folder E contains from my perspective as a user, my regular "decrypted" data.
  • Folder D considers E as being encrypted, and represents a live view of that data "decrypted" using passphrase P, actually encrypting it in the process.
  • I would be able to use folder D as the primary source for a backup of my data in folder E to a public cloud provider.

Any thoughts?

Sam Van den Eynde
  • 296
  • 1
  • 3
  • 13
  • I don't get that point: However, I interact directly using folder E. Folder E contains from my perspective as a user, my regular "decrypted" data.. Why would you want to do that instead of just using D ? – pLumo Nov 14 '17 at 12:51
  • Because this is perfectly possible as it's now: I would be able to use folder D as the primary source for a backup of my data in folder E to a public cloud provider. – pLumo Nov 14 '17 at 12:52
  • The reason is I am replicating this data on the LAN, and any scenario where the decrypted folder would not be mounted could have severe consequences. What I propose would be far more robust from that point of view. – Sam Van den Eynde Nov 14 '17 at 15:48

2 Answers2

0

As far as I could test ecryptfs does not support a feature as encfs does: Filesystem that gives an encrypted view of a directory—the inverse of EncFS still seems to be the way to go.

I wanted to "avoid" encfs because of some security fuzz around it, but I assume it is better than plain data anyway.

Sam Van den Eynde
  • 296
  • 1
  • 3
  • 13
  • I read the audit of EncFS and some issues were fairly common to any encryption (attacker with repeated rw access could be trouble), or should tweak a few things (64-bit's too small), and non-standard things. But editing the config file & inserting holes undetected are concerning. But keeping a secure copy of the config file &/or a hash of all encrypted files should detect tampering... It all really depends on your threat model, EncFS may not protect against a government or big corp., but should be great against siblings & common thieves. Or just add a LUKS file for life-critical data – Xen2050 Nov 20 '17 at 01:48
0

Assuming you don't want the added space of an encrypted backup folder just using eCryptfs, you might want to look into CryFS.

It seems to be designed with cloud storage in mind, attempting to hide all file & directory metadata. Sounds similar to taking a LUKS container and storing each individual block as a file (but probably using clumps of blocks, to avoid millions of 512-byte files).

It's in the Debian (Stretch/Stable[9], Buster/Testing[10], Sid) & Ubuntu (Zesty[17.04], Artful[17.10] & Bionic[18.04]) repositories, while their webpage has downloads for some older versions.

I'm not 100% sure if it supports the --reverse view of EncFS you seem to be indirectly looking for, but the could software I found for linux all makes a local copy of the cloud files anyway, so again you'd have an encrypted "backup" folder.

Xen2050
  • 8,705