Secure locate with ecryptfs, part 2

A few months ago, I hacked up a solution for secure locate and ecryptfs. Ian D. Allen suggested a better method, using a private per-user locate database rather than mucking with the system one. I’ve taken his suggestion.

This guide assumes you have already encrypted your home directory with ecryptfs.

Since Ubuntu lucid, locate excludes files in ecryptfs filesystems, although it still indexes the encrypted filenames (which is pretty useless). Edit /etc/updatedb.conf, add the ecryptfs paths to PRUNEPATHS, and ensure that PRUNEFS includes ecryptfs.

sudo vi /etc/updatedb.conf

Mine looks like this:

Force locate to update, or wait for the next (daily) run.

sudo updatedb

Now, we need to create our local user updatedb script and locate database.

mkdir ~/.mlocate

Download my updatedb script, and uncompress it to ~/.mlocate/.

cd ~/.mlocate
wget http://www.tolaris.com/blog/wp-content/uploads/2011/02/updatedb.gz
gunzip updatedb.gz
chmod 700 updatedb

This is a modified copy of /etc/cron.daily/updatedb. It indexes only $HOME, and stores the resulting database in ~/.mlocate/. Like the system cron updatedb script, my script won’t run when on battery power, and it uses ionice to minimise impact on the user.

Now, edit your user crontab and add a line to run this script.

crontab -e

The following line runs hourly, and doesn’t run when my home directory is encrypted.

Force the new script to run, or wait an hour.

$HOME/.mlocate/updatedb

Finally, add the new database to the LOCATE_PATH environment variable. This specifies additional locate databases to search, so you’ll still have access to the system locate. Put the following line in .bashrc or anywhere that your shell will source.

You now have a personal locate database securely stored in your encrypted home directory.

Tags:

  1. Ray Lee’s avatar

    Thanks for this! I’m using a variant on the above to index my sometimes available home NAS right now.

    One question: I’m not the greatest bash scripter in the world so may be missing something obvious somewhere, but how does the lockfile get removed after updatedb finishes?

    Also, having a guard to check for stale lockfiles might be useful [ 1 -eq $(find $LOCKFILE -cmin +1440 | wc -l) ] && echo assuming stale lockfile && rm -f $LOCKFILE or somesuch.

    Reply

    1. Ray Lee’s avatar

      Oh, duh, the trap. Nevermind.

      Reply

      1. Tyler Wagner’s avatar

        It’s good to consider that possibility anyway (stale lockfiles), but so far I’ve not had a problem with one. Also, this script is just a modification of the Debian/Ubuntu mlocate one. If it works for the system …

        Reply

      2. John’s avatar

        Thanks. This was very helpful.

        Reply

      3. Western Australia’s avatar

        you are actually a good webmaster. The web site
        loading pace is amazing. It sort of feels that
        you are doing any distinctive trick. Also, The contents
        are masterpiece. you have performed a fantastic process
        in this topic!

        Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">