I use an ecryptfs-encrypted home directory. I also like the convenience of locate
, which keeps a database of all the files on my laptop. Unfortunately, these two things are in conflict with one another. The locate database is stored in an unencrypted location, which means the names of my files can be easily retrieved. This is bad, even though the content of those files is still protected. However, it is possible to have both.
This solution assumes you are running Ubuntu 10.04 Lucid, which uses mlocate
by default. It has three limitations:
- it only works for a single-user workstation
- it only works while the user is logged in
- a file owned by root will exist in your home directory
When the desktop user is not logged in, the locate database will not be available. Hopefully someone will develop a replacement for locate
which is aware of ecryptfs and stores databases for each user in their encrypted homes.
Move the mlocate database to your home, and create a symbolic link to it.
sudo mv /var/lib/mlocate $HOME/.mlocate
sudo ln -s -f $HOME/.mlocate /var/lib/mlocate
Second, edit /etc/updatedb.conf
to disallow certain directories, and enable ecryptfs again (disabled since Lucid). Add “/home/.ecryptfs /home/*/.Private
” to PRUNEPATHS, and remove ecryptfs
from PRUNEFS.
sudo vi /etc/updatedb.conf
PRUNE_BIND_MOUNTS="yes" # PRUNENAMES=".git .bzr .hg .svn" # skip encrypted filenames, but do index ecryptfs. PRUNEPATHS="/tmp /var/spool /media /home/.ecryptfs /home/*/.Private" PRUNEFS="NFS nfs nfs4 rpc_pipefs afs binfmt_misc proc smbfs autofs iso9660 ncpfs coda devpts ftpfs devfs mfs shfs sysfs cifs lustre_lite tmpfs usbfs udf fuse.glusterfs fuse.sshfs fusesmb devtmpfs"
Finally, modify the cron script which runs updatedb
so it checks that /var/lib/mlocate/ exists and is writable before running. This prevents updatedb
from running while the user is not logged in.
sudo vi /etc/cron.daily/mlocate
Add a this line right after the script starts:
[ -d /var/lib/mlocate/ -a -w /var/lib/mlocate/ ] || exit 0
The top of my file looks like:
#! /bin/bash # updated to check for existence of mlocate dir, which is now in my encrypted home. set -e [ -x /usr/bin/updatedb.mlocate ] || exit 0 [ -d /var/lib/mlocate/ -a -w /var/lib/mlocate/ ] || exit 0 ...
Now run sudo updatedb
, and your locate database will be stored in your encrypted home directory.
Tags: encryption, lucid
-
You can avoid messing with the system databases by creating a *second* mlocate.db in your own account,
using your own crontab to update it, and setting LOCATE_PATH to point to the second database at your login.Your personal CRONTAB entry: 1 * * * * updatedb -l 0 -o misc/mlocate.db -U “$HOME”
For your bash login profile: export LOCATE_PATH=$HOME/misc/mlocate.db
2 comments
Comments feed for this article
Trackback link: https://www.tolaris.com/2010/10/02/secure-locate-with-ecryptfs/trackback/