How to mount remote ecryptfs directory?

Question

I use rsync to synchronize the data on my client with a decrypted ecryptfs-container on the server.

What I want to achieve is the following automatic process:

1. If, on the server, keyctl show already has my desired key signature go to (3.)
2. ecryptfs-add-passphrase --fnek to add my key to the keyring on the server
3. mount -i /mnt/path/to/decrypted to make sure the decrypted folder is mounted on the server
4. rsync from client to server
5. Optional: Unmount folder and remove key signature (not important here)

Currently, for steps 1,2,3 I use ssh -tq ... to execute the command and evaluate the result.

My problem is as follows: It seems like ecryptfs requires a persistent user session on the server. Otherwise, the key is added and instantly dropped because of user logout (ssh -tq ... ends after command completion).

I just recognized that ssh -tq 'ecryptfs-add-passphrase --fnek; mount -i /mnt/path/to/decrypted' apparently works as expected. The key is dropped again afterwards, but the mount succeeds. This implies I have to realize the "dynamic prompt" (step 1) on the server. Is this already the best solution or can I also realize this on the client?

Answer 1

I stumbled upon your post several times today while trying to realize exactly what you were describing, but did not find any help. I finally managed to find a solution by myself.

This solution is to take advantage of the --rsync-path option of rsync. Here is an extract from the man page:

    --rsync-path=PROGRAM
          Use this to specify what program is to  be  run  on  the  remote
          machine  to start-up rsync.  Often used when rsync is not in the
          default      remote-shell’s      path       (e.g.       --rsync-
          path=/usr/local/bin/rsync).   Note  that PROGRAM is run with the
          help of a shell, so it can be any program,  script,  or  command
          sequence  you’d  care to run, so long as it does not corrupt the
          standard-in & standard-out that rsync is using to communicate.

          One tricky example is to set a different  default  directory  on
          the  remote  machine  for  use  with the --relative option.  For
          instance:

              rsync -avR --rsync-path="cd /a/b && rsync" hst:c/d /e/

The example given in the last paragraph of the manual gave me the idea to use this parameter to mount the ecryptfs directory.

And here is the code:

rsync --rsync-path="(printf \"%s\" \"$passphrase\" | ecryptfs-add-passphrase --fnek && ecryptfs-mount-private) &> /dev/null && rsync" -aKLv local_to_sync remotehost.com:~/Private/