gocryptfs is like EncFS written in golang and on a debian, armbian or ubuntu it should be available in the repositories.
sudo apt-get -y install gocryptfs fuseAfter installation, gocryptfs needs to be initialized in the folder that holds the data we want to backup. And since we only want the files to be encrypted when we sync them to our remote storage, we pass the -reverse option.
gocryptfs -reverse -init /media/nextcloud-data/filesWe chose a very secure password and put it somewhere safe. Now, we can make a folder and mount our encrypted files.
mkdir -p /tmp/nextcloudencrypted gocryptfs -passfile /path/to/passwordfile -reverse /media/nextcloud-data/files /tmp/nextcloudencryptedSee the -passfile? That’s because we don’t want a reboot of our little Raspberry to disrupt the nightly backup job. So, we put these lines into a shell script and take the secure long password and put it into a very restricted file that only root has access to. Then we add these lines to our crontab:
@reboot root /path/to/on-reboot.shNow, let’s enter a quick df -h to see how much disk space we are using.
Filesystem Size Used Avail Use% Mounted on /dev/sda1 932G 83G 848G 9% /media/nextcloud-data /media/nextcloud-data/files 932G 83G 848G 9% /tmp/nextcloudencryptedSee how we mounted the files folder into /tmp/nextcloudencrypted and it has no impact on the available space on our hard disk? Sweet! But we still haven’t backed up anything yet. Here’s my very basic backup script:
#!/bin/bash occ="sudo -u www-data php /var/www/nextcloud/occ" $occ maintenance:mode --on mysqldump -u root --single-transaction nextcloud > /tmp/dbbackup.sql gzip -f /tmp/dbbackup.sql rsync -avz /tmp/dbbackup.sql.gz you@yourowngoddamnstorage.com:backup/nextcloud $occ maintenance:mode --off rsync -avz --delete /tmp/nextcloudencrypted you@yourowngoddamnstorage.com:backup/nextcloudFirst we switch into the maintenance mode of our nextcloud to create an database dump. Because it might take quite some time to rsync all files, we switch the maintenance mode back off again. Then we sync our encrypted files to our remote storage. But how do we get our data back? Easy.
mkdir nextclouddecrypted rsync -avz you@yourowngoddamnstorage.com:backup/nextcloud/nextcloudencrypted nextcloudencrypted gocryptfs nextcloudencrypted/ nextclouddecryptedBasically, download your encrypted data, create a new folder and command gocryptfs to decrypt your data into this new folder.