A few months ago, I hacked up a solution for secure locate and ecryptfs. Ian D. Allen suggested a better method, using a private per-user locate database rather than mucking with the system one. I’ve taken his suggestion.
This guide assumes you have already encrypted your home directory with ecryptfs.
Since Ubuntu lucid, locate excludes files in ecryptfs filesystems, although it still indexes the encrypted filenames (which is pretty useless). Edit /etc/updatedb.conf, add the ecryptfs paths to PRUNEPATHS, and ensure that PRUNEFS includes ecryptfs.
sudo vi /etc/updatedb.conf
Mine looks like this:
PRUNEPATHS="/tmp /var/spool /media /home/.ecryptfs /home/*/.Private" PRUNEFS="NFS nfs nfs4 rpc_pipefs afs binfmt_misc proc smbfs autofs iso9660 ncpfs coda devpts ftpfs devfs mfs shfs sysfs cifs lustre_lite tmpfs usbfs udf fuse.glusterfs fuse.sshfs ecryptfs fusesmb devtmpfs"
Force locate to update, or wait for the next (daily) run.
sudo updatedb
Now, we need to create our local user updatedb script and locate database.
mkdir ~/.mlocate
Download my updatedb script, and uncompress it to ~/.mlocate/.
cd ~/.mlocate
wget http://www.tolaris.com/blog/wp-content/uploads/2011/02/updatedb.gz
gunzip updatedb.gz
chmod 700 updatedb
This is a modified copy of /etc/cron.daily/updatedb. It indexes only $HOME, and stores the resulting database in ~/.mlocate/. Like the system cron updatedb script, my script won’t run when on battery power, and it uses ionice to minimise impact on the user.
Now, edit your user crontab and add a line to run this script.
crontab -e
The following line runs hourly, and doesn’t run when my home directory is encrypted.
# m h dom mon dow command 47 * * * * [ -x $HOME/.mlocate/updatedb ] && $HOME/.mlocate/updatedb 2> /dev/null
Force the new script to run, or wait an hour.
$HOME/.mlocate/updatedb
Finally, add the new database to the LOCATE_PATH environment variable. This specifies additional locate databases to search, so you’ll still have access to the system locate. Put the following line in .bashrc
or anywhere that your shell will source.
export LOCATE_PATH="$HOME/.mlocate/mlocate.db"
You now have a personal locate database securely stored in your encrypted home directory.
Tags: encryption
-
Thanks for this! I’m using a variant on the above to index my sometimes available home NAS right now.
One question: I’m not the greatest bash scripter in the world so may be missing something obvious somewhere, but how does the lockfile get removed after updatedb finishes?
Also, having a guard to check for stale lockfiles might be useful `[ 1 -eq $(find $LOCKFILE -cmin +1440 | wc -l) ] && echo assuming stale lockfile && rm -f $LOCKFILE` or somesuch.
-
-
Thanks. This was very helpful.
-
I’m getting :
mak@MakLap:~/.mlocate$ locate new.txt
/home/mak/Desktop/new.txt
/home/mak/.mlocate/mlocate.db: No such file or directoryAfter following the instructions to the letter; where does the mlocate.db file get created?
I’ve rebooted, sudo updatedb , ran the steps again but even though the file I used as an example does show up where before it did not, I’m getting that appended error
-
-
6 comments
Comments feed for this article
Trackback link: https://www.tolaris.com/2011/02/17/secure-locate-with-ecryptfs-part-2/trackback/