Encrypted Data Backup to the Cloud with MEGA and ecryptfs
While cloud storage allows us to worry a little less about losing data, it gives us something else to worry about: Who has access to our precious files? MEGA promises to encrypt the data in a way that makes it impossible for them to decrypt. That is well and good, but do you trust them? With this solution, you do not have to!
While this HowTo is based on MEGA, you can adapt it for any service that has a Linux sync client
Step 1: Sign up with MEGA and install the sync client
Go to the MEGA website and create a free account. For some money, you get more disk space and traffic, but the free 50GB is already plenty of space.
MEGA has recently released a sync client for Linux. Start by downloading the package for your distribution (right now, Debian, Fedora, openSuSe and Ubuntu are supported. The Ubuntu package works for Mint as well). Install it and set up a folder to sync. Use an empty folder for this! Since you are not going to use this folder directly, I chose to use the hidden folder
Step 2: Make sure ecryptfs is installed
ecryptfs is a file system layer that does the same thing as the fuse filesystem encfs, but implemented in the kernel and therefore a little faster. Make sure ecryptfs is enabled in you kernel (most distributions enable it by default) or enable it in your kernel configuration. The userspace tools are provided by the
Step 3: Set up ecryptfs
This is based on the article on ecryptfs in the wonderful arch wiki. I highly recommend you check it out if you want to understand the details.
- Create the directory where you want have your files be available. For me, this is
~/.data, since I am just going to bind my standard documents folder there.
- As root, mount your mega sync directory on your data directory as follows:
mount -t ecryptfs ~/.mega ~/.data.
The command with prompt you for some settings and a password:
Key type: passphraseThe interesting settings here are
Key byte: 32
Plaintext passtrough: no
Filename encryption: yes
Add signature to cache: yes
Plaintext passthroughenables you to upload plaintext files to your MEGA drive and have them available through the sync. That is not what I want, so I will disable it.
Filename encryptionmeans just what it says: Not only the file contents, but also the filenames will be encrypted. This is an important feature for your privacy. After all, the names can tell a lot about the contents.
- Move the signature cache that has been created by the previous command from root's directory to your own.
mv /root/.ecryptfs /home/<user>/
- Change ownership of the directory:
chown <user>:<user> .ecryptfs -R
- Unmount your data directory again (as root):
Step 4: Create an fstab entry for your directory
To be able to mount the directory without changing to root every time, you can create an entry in
/etc/fstab. Here is mine:
/home/<user>/.mega /home/<user>/.data ecryptfs user,noauto,ecryptfs_sig=<your signature>,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs,ecryptfs_fnek_sig=<your signature> 0 0
<your signature> is the string of characters in
Step 5: Create a script for the mount process
You can now mount your data directory in two steps. First, you need to activate your passphrase by running
Then, you can mount your directory using
mount -i ~/.data.
I have created a script for that since I also bind some directories from my data directory to the standard file layout (documents, pictures, etc.). For example, I run
sudo mount --bind ~/.data/documents ~/documents
Finally: Check if everything works
Run the MEGA sync client. Add some files to your data directory (not the mega directory!). You should see some files being created in the mega directory and the client will start uploading them to MEGA. Log in on their website to see your encrypted files. Now you do not have to trust them to protect your files since anything they ever get to see is encrypted data!