You are not logged in.
Hi,
up until now, I've neither used an encrypted home folder nor did I do proper backups of my files.
I'd like to remedy both shortcomings, in a way that allows both features to live nicely with each other.
Can anyone with experience in this area recommend good tools (which are available in Arch repos or AUR) to do this?
Or share tips / pitfalls to watch out for when combining backups and encryption?
Here is what I'd like to have:
encrypted home folder (ideally en/decrypt on all write/read access, not just at login/logout; handle system crashes gracefully)
manual, snapshot-based backup solution (backups will live on external hard drive connected on demand via USB)
keep multiple snapshots around on the backup drive
ability to restore the whole home directory from the backup
ability to restore individual files from arbitrary snapshots, without restoring the whole snapshot
ability to delete old snapshots from the backup drive, without deleting newer ones
the backups should be encrypted (ideally in the same way as the home directory encryption)
the backups should remember file permissions, symbolic links, etc.
space-efficient storage of backups (incremental, possibly compressed) is more important than speed
I'm using ext4 on both my home partition and on the external hard drive, but am open to other file systems if that helps.
Ideas?
my AUR packages ~~ my community contributions
Offline
Regarding encryption, I don't think that what you are saying is possible. Simply because, it will use a tremendous amount of CPU time on large files. You might want to set up an encrypted dir or use gpg for individual files. Just google "arch linux encryption"
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
Hi,
up until now, I've neither used an encrypted home folder nor did I do proper backups of my files.
Here is what I'd like to have:
encrypted home folder (ideally en/decrypt on all write/read access, not just at login/logout; handle system crashes gracefully)
manual, snapshot-based backup solution (backups will live on external hard drive connected on demand via USB)
keep multiple snapshots around on the backup drive
ability to restore the whole home directory from the backup
ability to restore individual files from arbitrary snapshots, without restoring the whole snapshot
ability to delete old snapshots from the backup drive, without deleting newer ones
the backups should be encrypted (ideally in the same way as the home directory encryption)
the backups should remember file permissions, symbolic links, etc.
space-efficient storage of backups (incremental, possibly compressed) is more important than speed
I use eCryptfs for $HOME encryption. It is a (cryptographic) stacked-filesystem which means you keep using your ext4 (but of course
there is a performance penalty with encryption overhead, however this is *not* FUSE file-system so it's not *that* slow).
Now, about backups. I use standard rsync based backups with rotating backup snapshots as described on http://mikerubel.org
and implemented numerous times by people all over. I call my own implementation rybackup, and it does backups
of all my systems including those with eCryptfs where it must not backup plain data, only encrypted. This script can do backups
to NFS, removable storage, SSHFS ... without too much setup complications.
Now, about restores. My code includes a restore script (mainly for quick restores of deleted files or directories with snapshot selection,
full restores are more of a rescue operation anyway). However if you choose to use filename encryption restores of individual files are
no longer as simple, since you can't identify your specific file easily. There are a few methods make it easier, but let's not get into that
right now.
Now, about all those other points you listed. Since eCryptfs is a file-system all the permissions, links are nothing special, and
incremental backups of *encrypted* data are still very much possible, and done no differently than backups of non eCryptfs
systems, same goes for space-efficiency - the way Mike's backup method works is keeping hard-links and unlinking files that
changed automatically. Which means all your backups combined are as big(small) as one full snapshot + differences between
them.
If you want to know more about eCryptfs and $HOME encryption read this article: http://sysphere.org/~anrxc/j/articles/e … index.html
Last edited by anrxc (2011-11-04 00:00:36)
You need to install an RTFM interface.
Offline
The method I use involves LUKS which is a block level encryption technique.
The simple gist is:
1) define a partition of interest (/home or /home/$user)
2) label it as an encrypted volume to be mounted via LUKS using the device mapper on boot
3) create a usb based keyfile that is read on log-in for mounting the partition of interest
4) backup is peformed to an external HDD that is also encrypted via LUKS and mounted in a CRON script that executes an rsync backup then unmounts the drive
Hope that helps.
Last edited by vinhsynd (2011-11-05 03:34:29)
The older I get the less time I have.
Offline
@anrxc
Thanks for the explanation (and the very useful article).
I like the approach of file-system level encryption on top of ext4, instead of being forced to preallocate a fixed-size block device for encrypted data.
What I don't understand, though, is why I need to keep a key file ("wrapped passphrase") around in the non-encrypted part of the file system.
Is this the case with all disk encryption solutions?
In my eyes it's just one more thing to keep track of, which will cause me to loose all my data if it's damaged or lost.
In the end, the security comes down to my passphrase anyways (which is also my login password, and which I intend to use for auto-mounting the eCryptfs filesystem on login).
I accept that adding a salt to the password provides additional security against some forms of dictionary attacks, but couldn't this salt be stored in the headers of the encrypted files like all the other cryptographic metadata, and used to generate the wrapped-passphrase on the fly?
my AUR packages ~~ my community contributions
Offline
4) backup is peformed to an external HDD that is also encrypted via LUKS
But then performing the backup entails decrypting all the files, just to encrypt them again on the external HDD, right?
my AUR packages ~~ my community contributions
Offline