Inspired by World Backup Day, I decided to take a backup of my laptop. Thanks to using a free operating system I don't have to backup any of my software, just configuration and data files, which fit on a single DVD.
In order to avoid worrying too much about secure storage and disposal of these backups, I have decided to encrypt them using a standard encrypted loopback filesystem.
(Feel free to leave a comment if you can suggest an easier way of doing this.)
Cryptmount setup
Install cryptmount:
apt-get install cryptmount
and setup two encrypted mount points in /etc/cryptmount/cmtab:
backup {
dev=/backup.dat
dir=/backup
fstype=ext4
mountoptions=defaults,noatime
keyfile=/backup.key
keyhash=sha512
keycipher=aes-xts-plain64
keyformat=builtin
cipher=aes-xts-plain64
}
testbackup {
dev=/media/cdrom/backup.dat
dir=/backup
fstype=ext4
mountoptions=defaults,noatime,ro,noload
keyfile=/media/cdrom/backup.key
keyhash=sha512
keycipher=aes-xts-plain64
keyformat=builtin
cipher=aes-xts-plain64
}
Initialize the encrypted filesystem
Make sure you have at least 4.3 GB of free disk space on / and then run:
mkdir /backup
dd if=/dev/zero of=/backup.dat bs=1M count=4096
cryptmount --generate-key 32 backup
cryptmount --prepare backup
mkfs.ext4 -m 0 /dev/mapper/backup
cryptmount --release backup
Alternatively, if you're using a double-layer DVD then use this dd line:
dd if=/dev/zero of=/backup.dat bs=1M count=8000
Burn the data to a DVD
Mount the newly created partition:
cryptmount backup
and then copy the files you want to /backup/ before unmounting that partition:
cryptmount -u backup
Finally, use your favourite DVD-burning program to burn these files:
/backup.dat/backup.key/etc/cryptmount/cmtab
Test your backup
Before deleting these two files, test the DVD you've just burned by mounting it:
mount /cdrom
cryptmount testbackup
and looking at a random sampling of the files contained in /backup.
Once you are satisfied that your backup is fine, umount the DVD:
cryptmount -u testbackup
umount /cdrom
and remove the temporary files:
rm /backup.dat /backup.key
It would be better if you didn't use /dev/zero to create the backing "media" (your backup.dat file).
To get better protection (since you are encrypting things anyway), you should use /dev/urandom (not /dev/random, as this will block).
Of course, you can always feed the entropy pool as simply as doing random stuff on your desktop (the usual sources) and using the package randomsound, while you listen to some music to be used as entropy.
If it is for long term storage (eg more than a couple of weeks) I wouldn't encrypt it. When the time comes you'll have forgotten the password and/or the technology won't work the same.
I encrypt a backup which gets written over frequently (so there is continuity of password/technology), but anything written to a DVD I wouldn't.
I have burned the key to the same media. It's possibly not as secure as having it on two separate discs since the passphrase could be brute-forced. But since the primary purpose of making a backup is to be able to restore stuff, I do want to be able to get to both pieces quickly if I need to.
Have you got a different (more secure?) strategy that works for you?