published on in GNU/Linux Security
tags: Cryptography LUKS cryptsetup rsync backup

Making secure backups in GNU/Linux with LUKS and rsync

In today’s post I’m going to explain how to securely backup your files using LUKS and rsync. Please, if you decide to follow the steps depicted here, remember that I’m not responsible for any loss of data that this may cause. Proceed with care: you can easily erase important information if you don’t know what you’re doing.

Let’s say that I want to backup my home directory on an external HDD, but I want my backup to be encrypted, too. There are a couple of alternatives: I can use Veracrypt or I can use Cryptsetup and LUKS. LUKS is the standard for Linux hard disk encryption, and this is the main reason I have decided to go with this one.

Creating and formatting your LUKS partition

First you need to create an empty partition on the external drive, for instance, using gparted. Make sure to make it big enough for the data you want to backup, and keep in mind that size of said data can and probably will be bigger in future backups.

Before we continue. Please, read the following. It’s important:

I’ll refer to this partition as \dev\sdb2 for simplicity, yours may or may not be the same one, so be extra careful if you copy and paste the commands written in this post directly. You may be fucking up your device and erasing the information you intend to backup. I also must warn you, the letter (a,b,c…) of each sd device may change after rebooting the machine, so each time you perform an operation directly on a partition or device, make sure that you are doing it on the right one. sudo fdisk -l or lsblk are your friends here. If you don’t quite grasp the concepts described in this paragraph, please find someone who can help you so you don’t fuck up your computer. You have been warned.

With that said, let’s continue.

If you want extra resilience to forensic analysis, you can fill the partition with noise before formating it. This will make impossible for an attacker to see the total size of the backed up data. This will take some time, so you can skip this step if it’s not necessary for your threat model:

shred --verbose --random-source=/dev/urandom --iterations=1 /dev/sdb2

Then, it’s time to format the partition with cryptsetup:

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 1000 --use-urandom luksFormat /dev/sdb2

These are the default values except for the hash which is more robust (SHA256 instead of SHA1). If you want to check the performance of each algorithm you can run cryptsetup benchmark.

This step will ask you to introduce a pass-phrase. Think of a good one and don’t loose it or you will be never able to unlock the partition again.

After your LUKS partition has been created, it’s time to format it.

Unlock:

cryptsetup open --type luks /dev/sdb2 mybackup

Format:

mkfs.ext4 /dev/mapper/mybackup

Mount:

mount -t ext4 /dev/mapper/mybackup /mnt/test-crypt

Change permissions:

sudo chown youruser:youruser /mnt/test-crypt

Unmount:

sudo umount /mnt/test-crypt

Ease your backups

Ok so, now you have an encrypted partition where you can put your data. But each time you want to perform a backup you need to unlock, mount, sync files, unmount and lock again. Those are a lot of steps, lets ease them.

First, find the UUID of the partition by typing ls -l /dev/disk/by-uuid/.

Each UUID points to a block device. We are interested on the one that points to our encrypted partition /dev/sdb2. It should look like:

lrwxrwxrwx 1 root root 2 Feb  1 10:22 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -> ../../sdb2

Add the following line to /etc/crypttab, using the UUID that you just found

crypt_backup UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,noauto

Also add the following line to /etc/fstab:

/dev/mapper/crypt_backup /media/crypt_backup ext4 defaults,noauto,user 0  0

Now you can use the following script to backup your files (the ones contained in your home directory, in this example). You may need to reboot first.

#!/bin/sh
udisksctl unlock -b /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx && \
mount /media/crypt_backup && \
rsync -avP --delete-after /home/your-user/ /media/crypt_backup/name-of-your-backup/ \
umount /media/crypt_backup \
udisksctl lock -b /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Run it each time you want to backup your files.