Secure locate with ecryptfs

I use an ecryptfs-encrypted home directory. I also like the convenience of locate, which keeps a database of all the files on my laptop. Unfortunately, these two things are in conflict with one another. The locate database is stored in an unencrypted location, which means the names of my files can be easily retrieved. This is bad, even though the content of those files is still protected. However, it is possible to have both.

This solution assumes you are running Ubuntu 10.04 Lucid, which uses mlocate by default. It has three limitations:

  1. it only works for a single-user workstation
  2. it only works while the user is logged in
  3. a file owned by root will exist in your home directory

When the desktop user is not logged in, the locate database will not be available. Hopefully someone will develop a replacement for locate which is aware of ecryptfs and stores databases for each user in their encrypted homes.

Move the mlocate database to your home, and create a symbolic link to it.

sudo mv /var/lib/mlocate $HOME/.mlocate
sudo ln -s -f $HOME/.mlocate /var/lib/mlocate

Second, edit /etc/updatedb.conf to disallow certain directories, and enable ecryptfs again (disabled since Lucid). Add “/home/.ecryptfs /home/*/.Private” to PRUNEPATHS, and remove ecryptfs from PRUNEFS.

sudo vi /etc/updatedb.conf

PRUNE_BIND_MOUNTS="yes"
# PRUNENAMES=".git .bzr .hg .svn"
# skip encrypted filenames, but do index ecryptfs.
PRUNEPATHS="/tmp /var/spool /media /home/.ecryptfs /home/*/.Private"
PRUNEFS="NFS nfs nfs4 rpc_pipefs afs binfmt_misc proc smbfs autofs iso9660 ncpfs coda devpts ftpfs devfs mfs shfs sysfs cifs lustre_lite tmpfs usbfs udf fuse.glusterfs fuse.sshfs fusesmb devtmpfs"

Finally, modify the cron script which runs updatedb so it checks that /var/lib/mlocate/ exists and is writable before running. This prevents updatedb from running while the user is not logged in.

sudo vi /etc/cron.daily/mlocate

Add a this line right after the script starts:

[ -d /var/lib/mlocate/ -a -w /var/lib/mlocate/ ] || exit 0

The top of my file looks like:

#! /bin/bash
# updated to check for existence of mlocate dir, which is now in my encrypted home.

set -e

[ -x /usr/bin/updatedb.mlocate ] || exit 0
[ -d /var/lib/mlocate/ -a -w /var/lib/mlocate/ ] || exit 0
...

Now run sudo updatedb, and your locate database will be stored in your encrypted home directory.

Tags: ,

  1. Ian D. Allen’s avatar

    You can avoid messing with the system databases by creating a *second* mlocate.db in your own account,
    using your own crontab to update it, and setting LOCATE_PATH to point to the second database at your login.

    Your personal CRONTAB entry: 1 * * * * updatedb -l 0 -o misc/mlocate.db -U “$HOME”

    For your bash login profile: export LOCATE_PATH=$HOME/misc/mlocate.db

    Reply

    1. Tyler Wagner’s avatar

      That’s excellent, thank you.

      Reply

Reply to Ian D. Allen Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.