encrypt usb hard drive for external backup

[raj]

Hi Team,

I run a backup to a usb hard drive that is rotated everyday and left offsite. Can anyone assist me on how to encrypt that usb drive so that if it misplaced, nobody could access any data on the drive. As the usb drive is swapped by local staff, I am looking for a way that when the new drive is put in, no password would be required to mount it for proxmox to access it.

This is the way the usb drive is automatically mounted
https://serverfault.com/questions/766506/automount-usb-drives-with-systemd

https://forum.proxmox.com/threads/backup-to-external-usb-drive.37133/

I am willing to pay £20 for a solution.

Rajbps

 

[guletz]

Hi,

As I understand (sorry for my english), you have several usb hdd's and you use them in a round-robin fashion for backup only? How many usb disks dou you have/use?

 

[raj]

Hi,

As I understand (sorry for my english), you have several usb hdd's and you use them in a round-robin fashion for backup only? How many usb disks dou you have/use?

Currently 2 usb drive which is swapped everyday. But looking in the furure to move to a drive for every day again thats in the far future.

 

[czechsys]

luks + keyfile on pve host.

 

[raj]

Can you advise on how to do it please. Sorry new to that part of using luks

 

[czechsys]

Can you advise on how to do it please. Sorry new to that part of using luks

https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Adding_LUKS_keys

 

[guletz]

Hi,

As a side note, because I have see many times broken USB-HDD I say that any HDD-USB backup it is not so good. Instead of this bad solution(but much better compared with nothing) a better solution will be to have a low-perfomance Desktop(4 GB RAM or more) with some rotational HDD(could be proxmox in the same PMX cluster or without cluster, with zfs). The advantages will be:
- you can test your backups with zfs scrub and with smartd(witch is impossible for some USB-HDD)
- you can have redundancy
- yours backups can be donne with zfs send-receive(with a pipe for encryption if you want)
- it will scale(now 2 HDD, after some time you can add more HDDs), and USB-HDD will not scale

If you can not get a desktop, you can use a raspberry 3.141 with 4 x USB_HDD and a old software like bacula(encryption, schedules, email alerting and many other). In any case I do not recomended any manual task for backup ... humans are less relaibale!!!

 

[guletz]

Can you advise on how to do it please. Sorry new to that part of using luks

Any LUKS tutorial must be understand, and I can tell that this is not something easy. You also need to test many catstrophic/bad scenarios to be sure that what YOU thinking / understend is the same in real world And belive me that in many cases the real world show me that I am a big .... full But I am very glad because the last time when I ckeck this problem, I have find that I am not ALONE ...

 

[raj]

• I would agree but this does not fix the issue of offsite backup. I have 3 backups running currently, one on usb which is saved in a fireproof save and that needs to be encrypted so in an event of loss or staff being malicious there is no information loss. Second backup on a synology box locallyt which is used in an even of a restore required and another option I am looking at also is cloud backup but that is still expensive compared to usb. But trust me I will not just rely on usb on its own.

 

[raj]

I also found this on the forum
https://forum.proxmox.com/threads/encrypt-backup.8494/

The only bit I am struggling is

#If you want to add a password that can also decrypt the volume:
cryptsetup luksAddKey /dev/sdj1 --key-file=/etc/util/keyfile

If anyone could assist on this bit please

Rajbps

 

[guletz]

Hi,

From man page:

luksAddKey <device> [<key file with new key>]

adds a new passphrase. An existing passphrase must be supplied interactively or via --key-file. The new passphrase to be added can be
specified interactively or read from the file given as positional argument.

<options> can be [--key-file, --keyfile-offset, --keyfile-size, --new-keyfile-offset, --new-keyfile-size, --key-slot, --master-key-file,
--iter-time, --force-password].

 

[raj]

Hiya, This is the bit I am struggling a bit. so as per the instructions,

First installl

apt-get install cryptsetup

Then create a keyfile

#Create a key file
dd if=/dev/urandom of=/etc/keyfile bs=1024 count=4
chmod 600 /etc/keyfile

Now create a partition on the new usb:

#Partition your disk
parted /dev/sdj
mklabel gpt
mkpart primary ext3 1 3000.00GB

Make new encrypted volume:
#Make the new encrypted volume:
cryptsetup luksFormat /dev/sdj1 /etc/keyfile

"/etc/keyfile" used the keyfile created from before.

Now this is the bit I am struggling

#If you want to add a password that can also decrypt the volume:
cryptsetup luksAddKey /dev/sdj1 --key-file=/etc/util/keyfile

Also if I create a file in /etc/util/keyfile

in the file keyfile i put the word password

Then when I try to run that it does not work and give the me the following


root@server:~# cryptsetup luksFormat /dev/sdb1 /etc/keyfile

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
root@server:~# chmod 600 /etc/util/keyfile
root@server:~# cryptsetup luksAddKey /dev/sdb1 --key-file=/etc/util/keyfile
No key available with this passphrase.

Also what the use of adding a password, is that to be able to mount this drive on another system please

Please advise.

Rajbps

 

[guletz]

cryptsetup luksAddKey /dev/sdb1 --key-file=/etc/util/keyfile

Run again like this:

cryptsetup luksAddKey /dev/sdb1 /etc/util/keyfile

- You will be asked to write your first password that you use when you have run "cryptsetup luksFormat /dev/sdb1 /etc/keyfile"

Also what the use of adding a password, is that to be able to mount this drive on another system please

Maybe you will have many different users, so each of them(maxim 8) can use a different password/key-file. Or mybe you forget/lost one passwd/key, so you can open your luks dev with another key that you have setup allready!

Good luck