In my line of work, you basically have to options to keep your sanity. You either become jaded or you go into full-on paranoia mode. And I recently started to catch myself looking longingly at tin foil hats. That’s why I have my very own cloud! But since I’m currently the sole breadwinner in our expanding family, I’m on a tight budget. So, I present to you, The Frankencloud 3000! Cobbled together from discarded parts I scrapped from our SysAd’s desk: A Raspberry Pi 3 Model B+ and an old 1 TB internal hard disk in an USB case. As this is far from ideal (or stable), I need a good backup strategy. Preferably remote, so that a fire won’t destroy two years of baby and puppy pictures. I have a storage box somewhere that I can rsync to, but then my pictures are on somebody else’s computer which brings me back to my tin foil hats. I don’t want that. Not without some layer of encryption. And that’s where gocryptfs comes into play. What I want is to have my data to be encrypted on the fly before being rsynced to my storage box. And here is my solution.
gocryptfs is like EncFS written in golang and on a debian, armbian or ubuntu it should be available in the repositories.

sudo apt-get -y install gocryptfs fuse

After installation, gocryptfs needs to be initialized in the folder that holds the data we want to backup. And since we only want the files to be encrypted when we sync them to our remote storage, we pass the -reverse option.

gocryptfs -reverse -init /media/nextcloud-data/files

We chose a very secure password and put it somewhere safe. Now, we can make a folder and mount our encrypted files.

mkdir -p /tmp/nextcloudencrypted
gocryptfs -passfile /path/to/passwordfile -reverse /media/nextcloud-data/files /tmp/nextcloudencrypted

See the -passfile? That’s because we don’t want a reboot of our little Raspberry to disrupt the nightly backup job. So, we put these lines into a shell script and take the secure long password and put it into a very restricted file that only root has access to. Then we add these lines to our crontab:

@reboot root /path/to/on-reboot.sh

Now, let’s enter a quick df -h to see how much disk space we are using.

Filesystem                   Size  Used Avail Use% Mounted on
/dev/sda1                    932G   83G  848G   9% /media/nextcloud-data
/media/nextcloud-data/files  932G   83G  848G   9% /tmp/nextcloudencrypted

See how we mounted the files folder into /tmp/nextcloudencrypted and it has no impact on the available space on our hard disk? Sweet! But we still haven’t backed up anything yet. Here’s my very basic backup script:

#!/bin/bash
occ="sudo -u www-data php /var/www/nextcloud/occ"
$occ maintenance:mode --on
mysqldump -u root --single-transaction nextcloud > /tmp/dbbackup.sql
gzip -f /tmp/dbbackup.sql
rsync -avz /tmp/dbbackup.sql.gz you@yourowngoddamnstorage.com:backup/nextcloud
$occ maintenance:mode --off
rsync -avz --delete /tmp/nextcloudencrypted you@yourowngoddamnstorage.com:backup/nextcloud

First we switch into the maintenance mode of our nextcloud to create an database dump. Because it might take quite some time to rsync all files, we switch the maintenance mode back off again. Then we sync our encrypted files to our remote storage. But how do we get our data back? Easy.

mkdir nextclouddecrypted
rsync -avz you@yourowngoddamnstorage.com:backup/nextcloud/nextcloudencrypted nextcloudencrypted
gocryptfs nextcloudencrypted/ nextclouddecrypted

Basically, download your encrypted data, create a new folder and command gocryptfs to decrypt your data into this new folder.

Conclusion

There’s still room for improvement. Like, a lot. First of all, the database is not encrypted. This should be fairly straight forward. Then we only have ONE backup of last night. I would like to have the option to go back at least a couple of days, maybe save a snapshot of last month. As the names of the files do not change with every encryption process, this could be done with some hard links. But it’s better than nothing.