When storing your backups on an external drive you occasionally take with you it is a very good idea to encrypt your backups. Here are some personal conclusions after trying 2 different solutions.

eCryptFs

Advantages (reasons to choose):

  • stacked – can be used on top of another filesystem, even on top of NTFS
  • allocated on the fly – no need to pre-allocate your space, it will be allocated on the fly. This allows to mix encrypted with non-encrypted files
  • the setup of eCryptFs on top of NTFS with mixed encrypted and plain files offers some degree on interoperabillity with other OS-es (Win, OSX)

Disadvantages:

  • slower than other methods especially for allocating/deallocating a large number of inodes (small files) as in the case of rsync operations (way slower) which are typical for backups (see 1 and 2).
  • there is some info about the topology of your files: number, size, etc.

How to use it:

<pre lang="bash">#!/bin/bash
if [ "x$1" == "x" ]; then
echo Usage $0 path
exit -1
fi

TO=$1
read -p "Secure password: " -s MNT_PASS
FNEK=$(printf "%s" "$MNT_PASS" | ecryptfs-add-passphrase --fnek - | tail -n1 | cut -c29-44)
echo Using fnek sig: $FNEK
mount -t ecryptfs $TO $TO -o ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,no_sig_cache,ecryptfs_fnek_sig=$FNEK,key=passphrase:passphrase_passwd=$MNT_PASS

if [ -f $TO/mark ]; then
echo Success!
else
echo Failed!
exit -1
fi

LUKS

Advantages:

  • faster than eCryptFs (see 1)

Disadvatages:

  • requires a pre-allocated partition, cannot mix encrypted with unencrypted files

How to initialize it (once):

<pre lang="bash">cryptsetup --verify-passphrase luksFormat /dev/sdb2 -c aes -s 256 -h sha256
cryptsetup luksOpen /dev/sdb2 backup #this will create /dev/mapper/backup
#create filesystem
mkfs.ext4 -m 1 -O dir_index,filetype /dev/mapper/backup
#mount
mount /dev/mapper/backup /media/backup

How to use it:

<pre lang="bash">cryptsetup luksOpen /dev/sdb2 backup #this will create /dev/mapper/backup
mount /dev/mapper/backup /media/backup

... do your stuff

umount /dev/mapper/backup
cryptsetup luksClose backup