Question: Linux encrypted home & running as a service at boot

Hi guys,

The VM i’m testing in doesn’t have an encrypted /home (the location i plan to backup using Duplicati), and i do plan to test on a new VM with that, but if someone knows the answer i’d be interested before i spend much time figuring out something that is already known.

I want to enable Duplicati as a service at boot (or login) and i’ve done so on my (non-encrypted) test VM. It seems to work fine before i log in. If my /home is encrypted and Duplicati runs it’s backup before i’ve logged in, does it backup already encrypted files that if restored would be unintelligible?

Thanks. :sunny:

If you use the normal eCryptFS based home-folder encryption scheme, then the service would not be able to read the unencrypted files before you have logged in (the key is simply not on the system before), so you would (potentially) back up encrypted files, that you can decrypt with eCryptFS.


I’m fairly new to Linux, so i won’t be upset to be corrected, but on Ubuntu and derivatives at least (all else?), i think /home mounts at login - not boot. Would Duplicati know/be able to backup the unmounted drive? Or would it just wait until it can see /home - the next login - and begin it’s backups then?

Also, if it could see encrypted /home before login (and decryption) - would not only the content of files be encrypted but also the filenames? If it can back up ‘gibberish’ files it will make partial restorations (of particular files) pretty much impossible unless there’s some cleverness going on.

It will not wait for login or mounts, but since /home exists on boot, it can find “something”.

Yes, it will see encrypted filenames as well. A backup of these files will require that you mount the encrypted files with eCryptFS before you can read the contents.

Does this assume /home is on the same partition/drive as /root?

I spoke with JonMikeIV regarding his ‘How To’ for start at boot and he mentioned a few things, one question was about it’s ability to de-duplicate effectively if the content is encrypted. I hadn’t thought of that.

I think for the sake of simplicity, i will be setting mine up to run at login rather than boot - at least on my desktops. On the Server - i do not know yet, i’ll have to experiment (when i have bought it and built unRAID) :slight_smile: Next step, and somewhat amusingly, i have to manually backup my Synology NAS (i use Robocopy as i have been doing it for years in Windows this way via batch files LOL) before updating DSM so i can try Duplicati there.

Thanks for the advice/info. As this was really a question/discussion rather than ‘please help fix something’, not sure if i should mark it as “Solved”.