pi as an encrypted offsite back-up solution


8 posts
by henlij » Wed Feb 27, 2013 5:04 pm
I'm interested in setting up an offsite back-up of my most important files (family photos, videos, financial and legal docs, etc.). The total size is around 3TB. A friend of mine has offered to allow me to place a pi and external harddrive at his house. I don't know much about linux but I imagine it wouldn't be difficult to use SSH and rsync to get this done. I'm looking for advice as far as encrypting the backup though. I understand that using SSH would encrypt the traffic.

What I am unclear about would be the best method to ensure the data on the remote drive wouldn't be accessible to others, including my friend. Anyone doing something similar?
Posts: 4
Joined: Wed Feb 27, 2013 4:55 pm
by umputun » Thu Feb 28, 2013 1:37 am
encfs can help you.

something like:
Code: Select all
sudo apt-get install encfs
encfs /yourhdd/.crypt /yourhdd/secure
Posts: 2
Joined: Sun Jan 13, 2013 8:07 pm
by henlij » Thu Feb 28, 2013 3:57 am
Thanks for the response. Would this be a full disk encryption? When I run the following command, it asks me if I want to create a folder. Perhaps an encrypted folder is enough?

Code: Select all
encfs /mnt/usb/.crypt /mnt/usb/secure


I've never run linux before so this is all new. I'm pasting the results from df- l below if that helps show what I've done so far.

Code: Select all
Filesystem     1K-blocks    Used Available Use% Mounted on
rootfs           7380456 1465128   5597096  21% /
/dev/root        7380456 1465128   5597096  21% /
devtmpfs           86184       0     86184   0% /dev
tmpfs              18888     224     18664   2% /run
tmpfs               5120       0      5120   0% /run/lock
tmpfs              37760       0     37760   0% /run/shm
/dev/mmcblk0p1     57288   19008     38280  34% /boot
/dev/sda1      199099904    2560 199097344   1% /mnt/usb
Posts: 4
Joined: Wed Feb 27, 2013 4:55 pm
by technion » Thu Feb 28, 2013 5:20 am
I would urge you to think about how the encryption will help.
Say you have full disk encryption*. Your pi is up and running in a Bitlocker style configuration. You have some method of transferring data to that Pi.

That pi gets hacked. Everything gets downloaded. The encryption is so transparent to the attacker, he may not even notice it's there.

A similar logic applies to an encrypted folder or partition.

If your concern is that someone will physically pick up the pi and walk away with it, I'm sure you're not worried about them stealing the pi OS from the SD card - encrypting your data drive may well be a solution.

* Since a pi does not support TPM, any form of full disk encryption that does not rely on you entering a key at boot time will be very difficult, if not impossible.
Posts: 234
Joined: Sun Dec 02, 2012 9:49 am
by henlij » Thu Feb 28, 2013 5:46 am
Because I know so little, perhaps it's best to just ask others what to do when creating an offsite backup. Would it be better to pick up a large drive and get a safety deposit box at the bank and every couple weeks, pick up the drive, bring it home, sync it, and then bring it back. What do others do? I'm sorta lazy and cheap and would like to just have something setup that runs on its own.

I'm not worried about someone breaking into my friend's house and stealing the drive. I'd have to assume they'd be a layperson (like me!) without the know-how to get at the date. Hell, just having the drive formated in something other than NTFS or FAT32 would keep the data safe from most users. :-) I would assume anyone stealing my drive would just reformat it to use it.

There is nothing I have that would be worth someone spending any time trying to hack. Isn't sniffing SSH traffic a waste of time anyway? lots of questions here, lots of ignorance here....
Posts: 4
Joined: Wed Feb 27, 2013 4:55 pm
by tonyhughes » Thu Feb 28, 2013 6:58 am
My offsite backup is done via FTP to a dedicated storage host. All scripted from my Pi's and other machines.

I use http://www.thecloud.net.nz (disclosure: they provide me some sponsorship).
Baked Linux Mod http://www.geek101.co.nz/bakedlinuxmod

Easy install of Drupal, Wordpress, RazorCMS, Chyrp, Apache, Nginx, Lighttpd, firewall, Webmin, VNC, RDP, FTP servers, mailservers, MySQL, SQLite, Transmission and more...

tall.co.nz/webcam.jpg
User avatar
Posts: 931
Joined: Wed Dec 26, 2012 3:46 am
by Durazell » Thu Feb 28, 2013 8:45 am
If you expect high traffic (e.g. LAN 3mb/s) you should think of some bandwidth limiter. I had NFS for some time on my pi but pi crashed every time I transfered something large.
Posts: 31
Joined: Sun Aug 12, 2012 3:50 pm
Location: Finland
by henlij » Mon Mar 04, 2013 3:39 pm
Thanks for the suggestions. A buddy of mine helped me to get LUKS setup on the pi. Using luksformat, I was able to encrypt a 3TB external USB drive. I then used luksOpen to mount. I believe I have it setup correctly at the moment. Next step, figure out rsync!

Code: Select all
/dev/mapper/secure  2.7T  201M  2.6T   1% /mnt/secure
Posts: 4
Joined: Wed Feb 27, 2013 4:55 pm