I need to be able to back up my data to an external hard drive that will be stored off site to protect my data if my house burns down or the contents are stolen. I also want the data to be private, so that means an encrypted hard drive. I am using Ubuntu 14.04. This machine is on a headless server so all commands are entered from the terminal over ssh. I have incorporated all of these commands into a python backup script for ease of use. Terminal code will look like this sentence. If you have monitor hooked up to your computer, gui tools are available.
- References
- Install cryptsetup
sudo apt-get install cryptsetup
- Identify the correct hard drive to use. You will be erasing all data on the drive.
- see post https://blog.chadchenault.com/2015/01/03/identify-a-hard-drive-serial-number-in-linux-ubuntu-14-04/
- Remember the UUID of the drive from post above to use device in the following commands
- Fill the hard drive with random data. I saw arguments were this step is not required, however I felt it safer to do this and I am not in a rush. This step takes a long time.
- run command as root
sudo -s- This method is fast if CPU supports AES-NI (hardware acceleration). see http://serverfault.com/questions/6440/is-there-an-alternative-to-dev-urandom
openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero | pv -pterb > /dev/sdj
- This was another command posted but was not as fast
dd if=/dev/urandom of=/dev/sdj
- I then played a youtube playlist in the background to help generate random data
- run command as root
- Encrypt the hard drive
- http://linux.die.net/man/8/cryptsetup
- You can change type and strength of encryption with options
- from https://www.schneier.com/blog/archives/2014/04/auditing_truecr.html
sudo cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 luksFormat /dev/disk/by-uuid/2228745a-0db3-48c7-b582-5a3ddf7e7c70
- Verify the encryption is using luks
sudo cryptsetup -v isLuks /dev/disk/by-uuid/2228745a-0db3-48c7-b582-5a3ddf7e7c70- Output should be “Command successful.” if LUKS device
- Open the encrypted device (decrypt/unlock the device)
- Then first time the encrypted device is opened, a symbolic link called a “mapping” is created which becomes the name of the LUKS device.
- For example I chose a descriptive name “backup.serv-offsite” and the LUKS device will be created at /dev/mapper/backup.serv-offsite. “/dev/mapper/backup.serv-offsite” will only be created when the LUKS device is opened.
sudo cryptsetup -v luksOpen /dev/disk/by-uuid/2228745a-0db3-48c7-b582-5a3ddf7e7c70 backup.serv-offsite
- Then first time the encrypted device is opened, a symbolic link called a “mapping” is created which becomes the name of the LUKS device.
- See if the LUKS device is already unlocked/open.
sudo cryptsetup status backup.serv-offsite- output if device is opened
- /dev/mapper/backup.serv-offsite is active and is in use.
- type: LUKS1
- cipher: aes-xts-plain64
- keysize: 512 bits
- device: /dev/sde
- offset: 4096 sectors
- size: 3907025072 sectors
mode: read/write
- output if device is closed
- /dev/mapper/backup.serv-offsite is inactive.
- Create a filesystem once device is opened
mkfs.ext4 /dev/mapper/backup.serv-offsite
- Mount the filesystem
sudo mount --verbose -t ext4 /dev/mapper/media.serv-backup /media/bkup.mserv- /dev/mapper/media.serv-backup is the opened LUKS device
- /media/bkup.mserv is the location mount point of the LUKS device
- Umount the filesystem
sudo umount /media/bkup.mserv
- Close the LUKS device so that the data stays private
sudo cryptsetup -v close media.serv-backup
- Verify the LUKS device was closed, data is not available
sudo cryptsetup status backup.serv-offsite
- Done