Inspired by World Backup Day, I decided to take a backup of my laptop. Thanks to using a free operating system I don't have to backup any of my software, just configuration and data files, which fit on a single DVD.

In order to avoid worrying too much about secure storage and disposal of these backups, I have decided to encrypt them using a standard encrypted loopback filesystem.

(Feel free to leave a comment if you can suggest an easier way of doing this.)

Cryptmount setup

Install cryptmount:

apt-get install cryptmount

and setup two encrypted mount points in /etc/cryptmount/cmtab:

backup {
  dev=/backup.dat
  dir=/backup
  fstype=ext4
  mountoptions=defaults,noatime

  keyfile=/backup.key
  keyhash=sha512
  keycipher=aes-xts-plain64
  keyformat=builtin
  cipher=aes-xts-plain64
}

testbackup {
  dev=/media/cdrom/backup.dat
  dir=/backup
  fstype=ext4
  mountoptions=defaults,noatime,ro,noload

  keyfile=/media/cdrom/backup.key
  keyhash=sha512
  keycipher=aes-xts-plain64
  keyformat=builtin
  cipher=aes-xts-plain64
}

Initialize the encrypted filesystem

Make sure you have at least 4.3 GB of free disk space on / and then run:

mkdir /backup
dd if=/dev/zero of=/backup.dat bs=1M count=4096
cryptmount --generate-key 32 backup
cryptmount --prepare backup
mkfs.ext4 -m 0 /dev/mapper/backup
cryptmount --release backup

Alternatively, if you're using a double-layer DVD then use this dd line:

dd if=/dev/zero of=/backup.dat bs=1M count=8000

Burn the data to a DVD

Mount the newly created partition:

cryptmount backup

and then copy the files you want to /backup/ before unmounting that partition:

cryptmount -u backup

Finally, use your favourite DVD-burning program to burn these files:

  • /backup.dat
  • /backup.key
  • /etc/cryptmount/cmtab

Test your backup

Before deleting these two files, test the DVD you've just burned by mounting it:

mount /cdrom  
cryptmount testbackup

and looking at a random sampling of the files contained in /backup.

Once you are satisfied that your backup is fine, umount the DVD:

cryptmount -u testbackup  
umount /cdrom

and remove the temporary files:

rm /backup.dat /backup.key