Encrypted Data Backup to the Cloud with MEGA and ecryptfs

While cloud storage allows us to worry a little less about losing data, it gives us something else to worry about: Who has access to our precious files? MEGA promises to encrypt the data in a way that makes it impossible for them to decrypt. That is well and good, but do you trust them? With this solution, you do not have to!

While this HowTo is based on MEGA, you can adapt it for any service that has a Linux sync client

Step 1: Sign up with MEGA and install the sync client

Go to the MEGA website and create a free account. For some money, you get more disk space and traffic, but the free 50GB is already plenty of space.

MEGA has recently released a sync client for Linux. Start by downloading the package for your distribution (right now, Debian, Fedora, openSuSe and Ubuntu are supported. The Ubuntu package works for Mint as well). Install it and set up a folder to sync. Use an empty folder for this! Since you are not going to use this folder directly, I chose to use the hidden folder ~/.mega.

Step 2: Make sure ecryptfs is installed

ecryptfs is a file system layer that does the same thing as the fuse filesystem encfs, but implemented in the kernel and therefore a little faster. Make sure ecryptfs is enabled in you kernel (most distributions enable it by default) or enable it in your kernel configuration. The userspace tools are provided by the ecryptfs-utils package.

Step 3: Set up ecryptfs

This is based on the article on ecryptfs in the wonderful arch wiki. I highly recommend you check it out if you want to understand the details.

  1. Create the directory where you want have your files be available. For me, this is ~/.data, since I am just going to bind my standard documents folder there.
  2. As root, mount your mega sync directory on your data directory as follows: mount -t ecryptfs ~/.mega ~/.data.
    The command with prompt you for some settings and a password:
    Key type: passphrase
    Passphrase: ThisIsAVeryWeakPassphrase
    Cipher: aes
    Key byte: 32
    Plaintext passtrough: no
    Filename encryption: yes
    Add signature to cache: yes
    The interesting settings here are Plaintext passthrough and Filename encryption. Plaintext passthrough enables you to upload plaintext files to your MEGA drive and have them available through the sync. That is not what I want, so I will disable it. Filename encryption means just what it says: Not only the file contents, but also the filenames will be encrypted. This is an important feature for your privacy. After all, the names can tell a lot about the contents.
  3. Move the signature cache that has been created by the previous command from root's directory to your own. mv /root/.ecryptfs /home/<user>/
  4. Change ownership of the directory: chown <user>:<user> .ecryptfs -R
  5. Unmount your data directory again (as root): umount ~/.data

Step 4: Create an fstab entry for your directory

To be able to mount the directory without changing to root every time, you can create an entry in /etc/fstab. Here is mine:

/home/<user>/.mega /home/<user>/.data ecryptfs user,noauto,ecryptfs_sig=<your signature>,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs,ecryptfs_fnek_sig=<your signature> 0 0

<your signature> is the string of characters in ~/.ecryptfs/sig-cache.txt

Step 5: Create a script for the mount process

You can now mount your data directory in two steps. First, you need to activate your passphrase by running ecryptfs-add-passphrase.
Then, you can mount your directory using mount -i ~/.data.

I have created a script for that since I also bind some directories from my data directory to the standard file layout (documents, pictures, etc.). For example, I run sudo mount --bind ~/.data/documents ~/documents

Finally: Check if everything works

Run the MEGA sync client. Add some files to your data directory (not the mega directory!). You should see some files being created in the mega directory and the client will start uploading them to MEGA. Log in on their website to see your encrypted files. Now you do not have to trust them to protect your files since anything they ever get to see is encrypted data!