I have access to a server that I use for backups. I use rsync with the --delete

Question

I have access to a server that I use for backups. I use rsync with the --delete flag to make an exact copy of my backup directory. I have no need for incremental backups. The backup directory on the server is encrypted with ecryptfs (although not the whole home folder). I have written a script which is stored locally and executes over ssh on the server which:

1. Decrypts and mounts the directory
2. Performs rsync
3. Unmounts the directory
4. Sends me an email

The password to decrypt the directory is stored on the local machine. I am using:

key=passphrase:passphrase_passwd_file=/home/me/password.txt

in the mount command. My question is; does this pose any sort of security risk? I can't see that it does but I noted on the ecryptfs man page that using passphrase_passwd option (which I realise is different to the one above) should only be used when security is not important as the password is visible to utilities like ps. Permissions on my folder are set to 700.

Explanation / Answer

Your password can be viewed by processes in the server, since you are executing the ecryptfs there.

What you can do is to mount the ecryptfs locally. I see two options:

- Mount the server folder locally with sshfs and then ecryptfs over it.
- Reverse-mount the source folder and rsync those encrypted files to the server.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.