When storing your backups on an external drive you occasionally take with you it is a very good idea to encrypt your backups. Here are some personal conclusions after trying 2 different solutions.
eCryptFs
Advantages (reasons to choose):
- stacked – can be used on top of another filesystem, even on top of NTFS
- allocated on the fly – no need to pre-allocate your space, it will be allocated on the fly. This allows to mix encrypted with non-encrypted files
- the setup of eCryptFs on top of NTFS with mixed encrypted and plain files offers some degree on interoperabillity with other OS-es (Win, OSX)
Disadvantages:
- slower than other methods especially for allocating/deallocating a large number of inodes (small files) as in the case of rsync operations (way slower) which are typical for backups (see 1 and 2).
- there is some info about the topology of your files: number, size, etc.
How to use it:
<pre lang="bash">#!/bin/bash
if [ "x$1" == "x" ]; then
echo Usage $0 path
exit -1
fi
TO=$1
read -p "Secure password: " -s MNT_PASS
FNEK=$(printf "%s" "$MNT_PASS" | ecryptfs-add-passphrase --fnek - | tail -n1 | cut -c29-44)
echo Using fnek sig: $FNEK
mount -t ecryptfs $TO $TO -o ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,no_sig_cache,ecryptfs_fnek_sig=$FNEK,key=passphrase:passphrase_passwd=$MNT_PASS
if [ -f $TO/mark ]; then
echo Success!
else
echo Failed!
exit -1
fi
LUKS
Advantages:
- faster than eCryptFs (see 1)
Disadvatages:
- requires a pre-allocated partition, cannot mix encrypted with unencrypted files
How to initialize it (once):
<pre lang="bash">cryptsetup --verify-passphrase luksFormat /dev/sdb2 -c aes -s 256 -h sha256
cryptsetup luksOpen /dev/sdb2 backup #this will create /dev/mapper/backup
#create filesystem
mkfs.ext4 -m 1 -O dir_index,filetype /dev/mapper/backup
#mount
mount /dev/mapper/backup /media/backup
How to use it:
<pre lang="bash">cryptsetup luksOpen /dev/sdb2 backup #this will create /dev/mapper/backup
mount /dev/mapper/backup /media/backup
... do your stuff
umount /dev/mapper/backup
cryptsetup luksClose backup