November 1, 2006
Encrypted backups
This document explains how to create and automate encrypted backups on Linux, using standard tools.
1. Prepare an encrypted file system
Create a file of the size of a dvd (make sure there are at least 4.5Gb available on the target filesystem (/opt for instance)
dd if=/dev/zero of=/opt/encrypted_filesystem bs=1024k count=4489 (for a dvd R)
dd if=/dev/zero of=/opt/encrypted_filesystem bs=1024k count=4450 (dvd RW are a bit smaller)
dd if=/dev/zero of=/opt/encrypted_filesystem bs=1024k count=700 (700 Mb cdrom)
Make sure to have the following modules loaded :
(you can also use blowfish or serpent instead of aes - consult /lib/modules/*/kernel/crypto/)
modprobe loop
modprobe cryptoloop
modprobe aes
Prepare the loop device - you will be prompted for a password :
losetup -e aes /dev/loop0 /opt/encrypted_filesystem
Format the filesystem
mkfs -t ext2 /dev/loop0
The following command makes more space available for the data :
tune2fs -m 0 /dev/loop0
2. Copy your files to the new encrypted filesystem
The filesystem is now ready and can be mounted by :
mount /dev/loop0 /mnt/encrypted
The files can be stored on it now:
cp ~/* /mnt/encrypted
Unmount the encrypted filesystem after that :
umount /dev/loop0
losetup -d /dev/loop0
3. Burn the data on a cd/dvd
growisofs -dvd-compat -Z /dev/dvd=/opt/encrypted_filesystem
4. Use your backups when needed
Mount the cd/dvd by :
losetup -e aes /dev/loop0 /dev/dvd
mount /dev/loop0 /mnt/cdrom
Unmount it once finished :
umount /dev/loop0
losetup -d /dev/loop0
5. Create new backups, using the same password
Re-mount the encrypted filesystem created before :
losetup -e aes /dev/loop0 /opt/encrypted_filesystem
mount /dev/loop0 /mnt/encrypted
Delete the existing files :
rm -rf /mnt/encrypted/*
Copy the new files :
cp -R /usr /mnt/encrypted/
Umount the filesystem :
umount /dev/loop0
losetup -d /dev/loop0
Burn to a dvd (see cdrecord for burning cdroms):
growisofs -dvd-compat -Z /dev/dvd=/opt/encrypted_filesystem
More info :
man losetup