I use an ecryptfs-encrypted home directory. I also like the convenience of
locate, which keeps a database of all the files on my laptop. Unfortunately, these two things are in conflict with one another. The locate database is stored in an unencrypted location, which means the names of my files can be easily retrieved. This is bad, even though the content of those files is still protected. However, it is possible to have both.
This solution assumes you are running Ubuntu 10.04 Lucid, which uses
mlocate by default. It has three limitations:
- it only works for a single-user workstation
- it only works while the user is logged in
- a file owned by root will exist in your home directory
When the desktop user is not logged in, the locate database will not be available. Hopefully someone will develop a replacement for
locate which is aware of ecryptfs and stores databases for each user in their encrypted homes.
Move the mlocate database to your home, and create a symbolic link to it.
sudo mv /var/lib/mlocate $HOME/.mlocate
sudo ln -s -f $HOME/.mlocate /var/lib/mlocate
/etc/updatedb.conf to disallow certain directories, and enable ecryptfs again (disabled since Lucid). Add “
/home/.ecryptfs /home/*/.Private” to PRUNEPATHS, and remove
ecryptfs from PRUNEFS.
sudo vi /etc/updatedb.conf
PRUNE_BIND_MOUNTS="yes" # PRUNENAMES=".git .bzr .hg .svn" # skip encrypted filenames, but do index ecryptfs. PRUNEPATHS="/tmp /var/spool /media /home/.ecryptfs /home/*/.Private" PRUNEFS="NFS nfs nfs4 rpc_pipefs afs binfmt_misc proc smbfs autofs iso9660 ncpfs coda devpts ftpfs devfs mfs shfs sysfs cifs lustre_lite tmpfs usbfs udf fuse.glusterfs fuse.sshfs fusesmb devtmpfs"
Finally, modify the cron script which runs
updatedb so it checks that /var/lib/mlocate/ exists and is writable before running. This prevents
updatedb from running while the user is not logged in.
sudo vi /etc/cron.daily/mlocate
Add a this line right after the script starts:
[ -d /var/lib/mlocate/ -a -w /var/lib/mlocate/ ] || exit 0
The top of my file looks like:
#! /bin/bash # updated to check for existence of mlocate dir, which is now in my encrypted home. set -e [ -x /usr/bin/updatedb.mlocate ] || exit 0 [ -d /var/lib/mlocate/ -a -w /var/lib/mlocate/ ] || exit 0 ...
sudo updatedb, and your locate database will be stored in your encrypted home directory.