This isn’t part of
rsbackup proper, but since you
might well want to encrypt your backups, the setup process is
The main threat I’m interested in protecting against is that a petty criminal comes into possession of my backup disk either by stealing it from an offsite location, or because I manage to lose it somehow. I don’t want them able to read my email or gain access to website passwords (of which I have far too many to remember, and most of them don’t protect anything especially important).
I’m not especially interested in protecting my backups from the NSA. If an organisation with government-level resources were to take an interest in me, then realistically they have better tools available than stealing my backups.
The reason I document this is that, if you are interested in defending against better-resourced attacks than I am (for instance if you live in a country with a highly repressive government), the details below may not be suitable for you.
The device mapper is the Linux kernel’s framework for creating virtual block devices. In this case, we are interested in creating a virtual block device that has the plain text corresponding to encrypted data on a physical block device.
dm-crypt is the low-level means of achieving this: writes to the virtual block device are encrypted and forwarded to the underlying physical device, and similarly reads from the virtual block devices are forwarded to the physical device and the content decrypted. The plain text will not be available if the correct key has not been supplied.
Linux Unified Key Setup (LUKS) is a specific encryption scheme that we’ll use.
cryptsetup is a command line tool we’ll use to set things up.
First create the partition to encrypt, using your favourite
lvcreate, or whatever. Any
pre-existing contents will be destroyed, so take a backup if
there is anything important there. I’ll assume below that the
device name for the partition it
obviously you should change this to whatever device you are
To create the LUKS data structures and establish a key:
# cryptsetup luksFormat /dev/sdb1 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.
As you can see, you must choose a passphrase. The default encryption key is 128 bits long, so it’s worth using a longer password than the traditional 8 characters, provided you can actually remember it. (A password you can’t remember is no use whatsoever.)
cryptsetup also supports reading the key
from a file. If keeping the key file safe somewhere (a couple
of well-hidden USB sticks, say) is easier than remembering a
suitably long passphrase, that might be more appropriate.
cryptsetup offers a variety of
cipher specifications. You may wish to review the available
options and consult the cryptsetup
FAQ rather than accepting the default.
At this point the encrypted partition exists but does not have any filesystem in it and the underlying plaintext is not accessible. It’s possible to detect the format:
# cat /dev/sdb1 | file - /dev/stdin: LUKS encrypted file, ver 1 [aes, cbc-essiv:sha256, sha1] UUID: c3ad50a5-a379-4e72-9f92-cacf592
The next step is to create a virtual block device with the plaintext:
# cryptsetup luksOpen /dev/sdb1 backup3 Enter LUKS passphrase: key slot 0 unlocked. Command successful. # ls -l /dev/mapper/backup3 brw-rw---- 1 root disk 254, 7 2010-03-14 15:54 /dev/mapper/backup3
You will need to re-enter the passphrase you chose earlier.
At this point you can create a filesystem:
# mkfs -j -Lbackup3 /dev/mapper/backup3 mke2fs 1.41.3 (12-Oct-2008) Filesystem label=backup3 OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 62336 inodes, 248870 blocks 12443 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=255852544 8 block groups 32768 blocks per group, 32768 fragments per group 7792 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 29 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
When I did this on a 4TB USB2-attached disk, it took about 40 minutes. So you might want to go away and do something else.
By default the filesystem will be regularly fsck’d. You can suppress this, if you want:
# tune2fs -c0 -i0 /dev/mapper/backup3
It’s now possible to mount the new filesystem:
# mount /dev/mapper/backup3 /mnt # really ls -l /mnt total 16 drwx------ 2 root root 16384 2010-03-14 15:55 lost+found richard@araminta:~$ df -h /mnt Filesystem Size Used Avail Use% Mounted on /dev/mapper/backup3 957M 1.2M 908M 1% /mnt
So now you can create files, take backups, etc.
Note that just because the disk is encrypted does not imply that other users of the system cannot get at its contents while it’s mounted. The normal file permission rules apply.
To unmount and detach the disk:
# umount /mnt # cryptsetup luksClose backup3