Inspired by World Backup Day, I decided to take a backup of my laptop. Thanks to using a free operating system I don't have to backup any of my software, just configuration and data files, which fit on a single DVD.

In order to avoid worrying too much about secure storage and disposal of these backups, I have decided to encrypt them using a standard encrypted loopback filesystem.

(Feel free to leave a comment if you can suggest an easier way of doing this.)

Cryptmount setup

Install cryptmount:

apt-get install cryptmount

and setup two encrypted mount points in /etc/cryptmount/cmtab:

backup {  
  dev=/backup.dat  
  dir=/backup  
  fstype=ext2    fsoptions=defaults     cipher=aes  

  keyfile=/backup.key  
  keyhash=sha1    keycipher=des3  
}  

testbackup {  
  dev=/cdrom/backup.dat  
  dir=/backup  
  fstype=ext2    fsoptions=defaults    cipher=aes  

  keyfile=/cdrom/backup.key  
  keyhash=sha1    keycipher=des3  
}

Initialize the encrypted filesystem

Make sure you have at least 4.3 GB of free disk space on / and then run:

mkdir /backup  
dd if=/dev/zero of=/backup.dat bs=1M count=4096  
cryptmount --generate-key 32 backup  
cryptmount --prepare backup  
mkfs.ext2 -m 0 /dev/mapper/backup  
cryptmount --release backup

Burn the data to a DVD

Mount the newly created partition:

cryptmount backup

and then copy the files you want to /backup/ before unmounting that partition:

cryptmount -u backup

Finally, use your favourite DVD-burning program to burn these two files:

  • /backup.dat
  • /backup.key

Test your backup

Before deleting these two files, test the DVD you've just burned by mounting it:

mount /cdrom  
cryptmount testbackup

and looking at a random sampling of the files contained in /backup.

Once you are satisfied that your backup is fine, umount the DVD:

cryptmount -u testbackup  
umount /cdrom

and remove the temporary files:

rm /backup.dat /backup.key

It would be better if you didn't use /dev/zero to create the backing "media" (your backup.dat file).

To get better protection (since you are encrypting things anyway), you should use /dev/urandom (not /dev/random, as this will block).

Of course, you can always feed the entropy pool as simply as doing random stuff on your desktop (the usual sources) and using the package randomsound, while you listen to some music to be used as entropy.

Comment by Rogério
For the really paranoid you might consider doing a shred -u -z on the backup.key file. It should be unnecessary for the backup.dat but if you have the time and entropy, you could do that too.
Comment by Anonymous

If it is for long term storage (eg more than a couple of weeks) I wouldn't encrypt it. When the time comes you'll have forgotten the password and/or the technology won't work the same.
I encrypt a backup which gets written over frequently (so there is continuity of password/technology), but anything written to a DVD I wouldn't.

Comment by Anonymous
You don't mention it explicitly, but are you burning the encrypted file and the key together on the same disk?
Comment by Anonymous

I have burned the key to the same media. It's possibly not as secure as having it on two separate discs since the passphrase could be brute-forced. But since the primary purpose of making a backup is to be able to restore stuff, I do want to be able to get to both pieces quickly if I need to.

Have you got a different (more secure?) strategy that works for you?

Comment by François