Categories
Generally Sysadmin

How to mount a encrypted drive from a ISP backupserver using encfs and autofs. (update)

ISPs often offer external disk space, together with their server packages, to store several GB of data for backups. Usually this storage space can be accessed via ftp/sftp , nfs or cifs (Samba / Windows shared folder). But that usually means that our data is stored unencrypted on an external server we don’t control.

But there is quite an elegant solution to this using autofs and encfs to automount and encryt that storage space.

Our goal is to create a folder that, accessed for example via “ls -al”, automatically mounts our storage space via cifs and decrypts the data in an transparent manner. So we don’t have to bother mounting anything manually.

The Basics for this blog entry were taken from Jinn Koriechs (Jinn Koriech’s Blog) blog entry from 2010. His guide was almost complete, but lacking automounting the encfs folder..

Preliminary remarks

autofs
The autofs tool provides virtual folders that, if accessed, automatically are mounted in the background. Also unmounting after a certain timespan is possible.

encfs
Encfs encrypts data in userspace without the use of containers. The folder and filenames are encrypted as well as the file content.

All used examples are based on Ubuntu/Debian. 12.02 LTS to be specific. Other systems may require some changes.

Installation

First we install encfs, autofs and the cifs utilities using apt-get.

apt-get install encfs autofs5 cifs-utils

Configuration

autofs
The configuration files for autofs are located in the /etc/ folder. They have to be named like auto.xyz. The main configuration is named auto.master. That is the one we are editing now. We are adding a new line for our new file. We use auto.hetzner as an example.

#
#/net   -hosts
/net  /etc/auto.hetzner  --timeout=150
#
...
#+auto.master

We comment out the line with +auto.master. Now every mountpoint starting with /net is handled by the auto.hetzner config file.  We now create that file /etc/auto.hetzner with the following content.

ht-backup  /        -fstype=cifs,credentials=/etc/backup/samba.auth  ://bserver.tld/backup \
           /decrypt -fstype=encfsextpw,autofs,credentials=/etc/backup/encfs.sh,rw  :/net/ht-backup/

This creates a new, so called multimount point. If /net/ht-backup is accessed autofs will also mount /net/ht-backup/decrypt.

The first line will mount our cifs folder from the backup server. In his example that’s a folder called backup from bserver.tld.  The second line mounts the /net/ht-backup folder using encfs to /net/ht-backup/decrypt.

For that to work we have to make some other changes first.

cifs
As you probably noticed in auto.hetzner, we referenced a file called /etc/backup/samba.auth. That’s the next file we are creating. You may choose the path to your liking but remember to put in the username and password for your backup server and make it read only for root only. In our example the server name is bserver.tld. The file looks like this:

username=u1111111
password=P4SSW0RTSECRE7

Also we have to create two new folders on our backup server. This works best by logging in via a ftp/sftp client of your choosing. Or by mounting the share temporarely. The root directory of the storage space should look like this:

backup
backup/decrypt

If we now try to list the content of /net/ht-backup we should already see the decrypt folder.

ls -al /net/ht-backup

If the decrypt subfolder is not shown, not try checking your syslog.

encfs
Because there is no flexible encfs mount script that provides an option to use a password file, we create our own custom script suited for that purpose.

Use it with caution, this might have an impact on your server security.

Wie call our new script /sbin/mount.encfsextpw. That’s also the file we referenced earlier in the /etc/auto.hetzner file.

Update 27.01.2017: Check for new “-n” parameter from automount.

#!/bin/bash

SOURCE="$1"
MOUNTPOINT="$2"
AUTOFS=0;
NEWOPTIONS=""

# Autofs adds -n if already in /etc/mtab
if (( $3 == "-n" ))
then
 ARG1="$4"
 OPTIONS="$5"
else
 ARG1="$3"
 OPTIONS="$4"
fi

# Try to find credentions and autofs options
IFS=","; read -ra PARAMS <<< "$OPTIONS"
for i in "${PARAMS[@]}"; do
 IFS="="; read -ra MYVAR <<< "$i"
 if [ ${MYVAR[0]} == "credentials" ]; then
 EXTPASS=${MYVAR[1]}
 elif [ ${MYVAR[0]} == "autofs" ]; then
 AUTOFS=1
 else
 NEWOPTIONS="$NEWOPTIONS$i,"
 fi
done;

# Save options without special vars
OPTIONS=${NEWOPTIONS:0:-1}

echo "Autofs: $AUTOFS" >> /tmp/log
echo "Options: $OPTIONS" >> /tmp/log



if [ $AUTOFS == 1 ]; then
 # MOunt via autofs (option autofs)
 MOUNTPOINT_PATH=/$(basename $MOUNTPOINT)
 encfs --extpass="${EXTPASS}" "$SOURCE" "$MOUNTPOINT" -o "$OPTIONS"
else
 # Regular mount with type encfsextpw
 encfs --ondemand --idle=1 --extpass="${EXTPASS}" "$SOURCE" "$MOUNTPOINT" -o "$OPTIONS"
fi

encfs wants a file that returns a password. We create that file as /etc/backup/encfs.sh.

#!/bin/sh
echo "mySecr3tPw"

We change the file permission to readable an executable only for root.

For a first test we now mount our folder manually.

encfs /net/ht-backup /mnt/

On our first run encfs might ask four the password to initialize the encryption. Please input the same password as set in the encfs.sh file before or change it accordingly.

If thats done, you might unmount it again using  umount /mnt.

Testing

To test our setup we will now display the contents of our decrypt folder and create some testfiles there.

ls -al /net/ht-backup/decrypt
touch /net/ht-backup/decrypt/testfile
mkdir /net/ht-backup/decrypt/testordner
ls -al /net/ht-backup/decrypt
ls -al /net/ht-backup

That will create a file and a folder named testfile and testfolder. Those should be shown using the second ls command. The third ls command should show the encrypted version of those files.

Notes

As long as the passwords are readable only by root this is all quite secure. Non root user don’t have access to the encrypt folder even if it is mounted.

Errors after upgrading the OS

If you upgraded your os from Ubuntu 12.04 LTS to 14.04 LTS (trusty) and the decrypt mount point is no longer working it may help to check the debug messages from automount. This may also occoure upgrading other distributions.

We’ll stop autofs and start automount manually with the debug option

service autofs stop
automount -f -v -d

If you try to mount /net/ht-backup/decrypt in a second shell, you should see a lot of debug messages.

Look for a line like:

spawn_mount: mtab link detected, passing -n to mount

If that line is there and you grabbed the /sbin/mount.encfsextpw script from this site before 2017, then it wasn’t prepared for the new parameter autofs is passing over to us.

The new script version above was changed to detect that parameter.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.