encrypt usb hard drive for external backup

raj

Active Member
Sep 17, 2011
217
4
38
www.businessparksolutions.com
Hi Team,

I run a backup to a usb hard drive that is rotated everyday and left offsite. Can anyone assist me on how to encrypt that usb drive so that if it misplaced, nobody could access any data on the drive. As the usb drive is swapped by local staff, I am looking for a way that when the new drive is put in, no password would be required to mount it for proxmox to access it.

This is the way the usb drive is automatically mounted
https://serverfault.com/questions/766506/automount-usb-drives-with-systemd

https://forum.proxmox.com/threads/backup-to-external-usb-drive.37133/

I am willing to pay £20 for a solution.

Rajbps
 

guletz

Famous Member
Apr 19, 2017
1,581
255
103
Brasov, Romania
Hi,

As I understand (sorry for my english), you have several usb hdd's and you use them in a round-robin fashion for backup only? How many usb disks dou you have/use?
 

raj

Active Member
Sep 17, 2011
217
4
38
www.businessparksolutions.com
Hi,

As I understand (sorry for my english), you have several usb hdd's and you use them in a round-robin fashion for backup only? How many usb disks dou you have/use?
Currently 2 usb drive which is swapped everyday. But looking in the furure to move to a drive for every day again thats in the far future.
 

guletz

Famous Member
Apr 19, 2017
1,581
255
103
Brasov, Romania
Hi,

As a side note, because I have see many times broken USB-HDD I say that any HDD-USB backup it is not so good. Instead of this bad solution(but much better compared with nothing) a better solution will be to have a low-perfomance Desktop(4 GB RAM or more) with some rotational HDD(could be proxmox in the same PMX cluster or without cluster, with zfs). The advantages will be:
- you can test your backups with zfs scrub and with smartd(witch is impossible for some USB-HDD)
- you can have redundancy
- yours backups can be donne with zfs send-receive(with a pipe for encryption if you want)
- it will scale(now 2 HDD, after some time you can add more HDDs), and USB-HDD will not scale

If you can not get a desktop, you can use a raspberry 3.141 with 4 x USB_HDD and a old software like bacula(encryption, schedules, email alerting and many other). In any case I do not recomended any manual task for backup ... humans are less relaibale!!!
 

guletz

Famous Member
Apr 19, 2017
1,581
255
103
Brasov, Romania
Can you advise on how to do it please. Sorry new to that part of using luks

Any LUKS tutorial must be understand, and I can tell that this is not something easy. You also need to test many catstrophic/bad scenarios to be sure that what YOU thinking / understend is the same in real world :) And belive me that in many cases the real world show me that I am a big .... full ;) But I am very glad because the last time when I ckeck this problem, I have find that I am not ALONE ... ;)
 

raj

Active Member
Sep 17, 2011
217
4
38
www.businessparksolutions.com
  • I would agree but this does not fix the issue of offsite backup. I have 3 backups running currently, one on usb which is saved in a fireproof save and that needs to be encrypted so in an event of loss or staff being malicious there is no information loss. Second backup on a synology box locallyt which is used in an even of a restore required and another option I am looking at also is cloud backup but that is still expensive compared to usb. But trust me I will not just rely on usb on its own. :)
 

guletz

Famous Member
Apr 19, 2017
1,581
255
103
Brasov, Romania
Hi,

From man page:

luksAddKey <device> [<key file with new key>]

adds a new passphrase. An existing passphrase must be supplied interactively or via --key-file. The new passphrase to be added can be
specified interactively or read from the file given as positional argument.

<options> can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile-offset, --new-keyfile-size, --key-slot, --master-key-file,
--iter-time, --force-password].
 

raj

Active Member
Sep 17, 2011
217
4
38
www.businessparksolutions.com
Hiya, This is the bit I am struggling a bit. so as per the instructions,

First installl

apt-get install cryptsetup

Then create a keyfile

#Create a key file
dd if=/dev/urandom of=/etc/keyfile bs=1024 count=4
chmod 600 /etc/keyfile

Now create a partition on the new usb:

#Partition your disk
parted /dev/sdj
mklabel gpt
mkpart primary ext3 1 3000.00GB

Make new encrypted volume:
#Make the new encrypted volume:
cryptsetup luksFormat /dev/sdj1 /etc/keyfile

"/etc/keyfile" used the keyfile created from before.

Now this is the bit I am struggling

#If you want to add a password that can also decrypt the volume:
cryptsetup luksAddKey /dev/sdj1 --key-file=/etc/util/keyfile

Also if I create a file in /etc/util/keyfile

in the file keyfile i put the word password

Then when I try to run that it does not work and give the me the following


root@server:~# cryptsetup luksFormat /dev/sdb1 /etc/keyfile

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
root@server:~# chmod 600 /etc/util/keyfile
root@server:~# cryptsetup luksAddKey /dev/sdb1 --key-file=/etc/util/keyfile
No key available with this passphrase.

Also what the use of adding a password, is that to be able to mount this drive on another system please

Please advise.

Rajbps
 

guletz

Famous Member
Apr 19, 2017
1,581
255
103
Brasov, Romania
cryptsetup luksAddKey /dev/sdb1 --key-file=/etc/util/keyfile


Run again like this:
Code:
cryptsetup luksAddKey /dev/sdb1 /etc/util/keyfile
- You will be asked to write your first password that you use when you have run "cryptsetup luksFormat /dev/sdb1 /etc/keyfile"

Also what the use of adding a password, is that to be able to mount this drive on another system please

Maybe you will have many different users, so each of them(maxim 8) can use a different password/key-file. Or mybe you forget/lost one passwd/key, so you can open your luks dev with another key that you have setup allready!

Good luck
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!