What is your experience in using ENCFS with SSHFS for remote backup ?
My main wondering is about long term stability.
Asked
Active
Viewed 3,947 times
4 Answers
4
Well, I have a friend who makes backup to my server using that very method. According to him it works well.
Dealing with SSHFS and EncFS there are a few potential caveats to be aware of, such as uid mapping, workarounds for rename behaviors etc. Last year I did a writeup on how to use rdiff-backup across SSHFS and EncFS. Those pointers might very well also apply on your backup software.
http://wiki.rdiff-backup.org/wiki/index.php/BackupToSshfsMount
http://wiki.rdiff-backup.org/wiki/index.php/BackupToEncfsAcrossSshfs
Of course, as with any other backup solution is should be properly tested. That also includes doing test restores.
andol
- 7,074
3
I've been using encfs -> sshfs for some months now and have not had to restart it or kill any hung processes etc. However when I layered posixovl on top of those - so that all my local users could have proper ownership and file permissions on the remote file space (which was under a single account in a different username-space) - it hung within a day. When I removed posixovl (fuser -m and umount -l are damned useful!) everything started working nicely again. Didn't need to restart sshfs.
This is how I have the three fuse filesystems set up.
As the user who owns the remote account:
sshfs username@remote-site:/home/username/encrypted ~username/remotesite-encrypted -o idmap=user -o uid=`id -u` -o gid=`id -g` -o reconnect -o allow_root encfs ~username/remotesite-encrypted ~username/remotesite -o allow_root
As root:
/usr/local/sbin/mount.posixovl -F -S /home/username/remote-site/user-directories /remotesite -- -o allow_other
Graham Toal
- 51
3
A more stable setup would probably be to use EncFS with the --reverse flag. From man pages:
--reverse
Normally EncFS provides a plaintext view of data on demand. Normally it stores enciphered data and
displays plaintext data. With --reverse it takes as source plaintext data and produces enciphered
data on-demand. This can be useful for creating remote encrypted backups, where you do not wish to
keep the local files unencrypted.
And than either using cp+SSHFS (or rsync+SSHFS...) or better any other backup tool that is capable of copying over SSH (or any other protocol you feel comfortable with). Eg. rdiff-backup, rsync...
The main difference between this and previous approaches is that here encryption happens before the backup tool sees the files. Which means that an attacker may get more information about the encrypted files if you are preserving history, because he can see which changes happen often and which do not and maybe figure something out.
Problems: rdiff-backup seems to have trouble accessing the EncFS-reverse filesystem.
gw0
- 131
0
I havn't been able to get SSHFS to have a stable connection over a day.