Web lists-archives.com

Re: how to backup to an encrypted usb drive?




> On Wed, Nov 14, 2018 at 12:52:57PM -0500, Lee wrote:
>> On 11/14/18, Reco <recoverym4n@xxxxxxxxxxxx> wrote:
  <.. snip ..>
>> > If you're content with losing all this metadata in your backup - there
>> > are rsync, cpio or tar. Or all those 'backup solutions' based on those.
>>
>> Do I need all that metadata?  This is for me at home so it's pretty
>> much a single user machine.
>
> That's for you to decide. I'd say you definitely need it for the backups
> of / and /var and can *probably* skip it for /home, but YMMV.
>
>
>> >> > For the encryption of this hypothetical drive (I don't use USB
>> >> > drives
>> >> > for these purposes) - luks only.
>> >>
>> >> Why don't you like USB drives for these purposes?
>> >
>> > Because backing up something to NFS share is easier.
>>
>> but leaves you open to cryptolocker ransomware & various 'oh shit!'
>> moments when I do something stupid.  Offline & offsite is worth a
>> certain amount of inconvenience to me.
>
> Nope. Because:
>
> a) You do not do backups as a regular user.

On windows I certainly do.  But if I need all the file metadata as
well as the files.. yeah, probably not & I'm going to have to rethink
my whole backup process.

> b) You do not keep a single backup.
>
> Besides, avoiding all those cryptolockers is easy. You just need to
> learn to distinguish a trusted software from the untrusted. A trusted
> software comes to you with your OS (in this case - Debian main archive).
> An untrusted software comes from elsewhere. Keep to a trusted software
> and you'll be fine.

Most probably.  But I think using Firefox comes with a certain amount
of risk - probably not all that much on debian but still a risk; as
does having an all-the-time online backup.

> Avoiding human mistakes is impossible indeed, hence the backups. And
> filesystem snapshots, but that's a different matter.
>
>
>> > And, I'm strong believer of 'machine works, human thinks' principle.
>> > Automating backups to NFS (and replicating them from there) is simple.
>> > Automating backup to USB drive - that's something that cannot be done
>> > without human intervention.
>> >
>> >> In other words, what am I missing?
>
> A good backup is run by cron. A bad backup is run manually.
> Simple as that.

How do you check that your cron backups worked?  Which is assuming you
do check :)
The manual backups I do are fast enough that I can watch and see that
nothing went wrong.

>> > Encrypted backups have their purpose, of course. For storing backups
>> > offsite (whenever it's physical or cloud) encryption is invaluable.
>> >
>> > But, the encryption is only as secure as the management of the
>> > encryption key, and the only relatively secure example of that I can
>> > come up with is gpg. And utilizing gpg for unattended backups is
>> > painful
>> > to say the least.
>>
>> Which is why I liked truecrypt.  Is luks roughly equivalent for
>> encrypting the whole drive?
>
> No, it's better. More encryption algorithms, definitely more code audit
> *and* virtually zero 'became superuser' vulnerabilities.

OK - good to know!

Thanks,
Lee