Backup on an unsafe Target

The easy way... Situation: you want to have a backup of your confidential data away from home, on a server not under your control, if your home system is no longer available (crash, theft, fire...)

Solution

Let's assume, you have an encrypted partition containing classified information and you want to back it up.

Now you've made an agreement with a friend (or a branch office of your company or... any server not under your control). You have a server in your basement an he also has one at his site. He offers you an amount of disk space on his server over VPN for your needs (and you may offer him the same).

Now you might create an encrypted partition there, copy your data on it and no intruder or burglar could ever read it.

But while a backup is running (or you are reading from it), you would have to mount it somewhere on your friend's server. During that time, your friend, being an administrator there, could read it and might get access to details you don't want to share, not even with your friend.

The better solution

My solution is to initially copy the encrypted partition to a file on the remote system, using e.g.

dd if=/dev/sdb2 of=/mountpoint/of/remote/directory/sdb2.raw bs=64k

The copy may take quite some time (depending on the size of your partition and the bandwith of both endpoints), but it is worth while.

Maybe the use of an USB stick (or another fast media) can speed up this initial step.

So, not hard to guess, the encrypted volume should not be unnecessarily big, but for the following the size does not really matter.

You do not need shell access to the remote system for this what makes it easier for your friend. SMB or NFS access is enough, just like for any other user of his system.

I created this partition using something like

cryptsetup luksFormat /dev/sdb2
cryptsetup open /dev/sdb2 s2
mkfs.ext4 /dev/mapper/s2
mount /dev/mapper/s2 /your/mountpoint
and began populating it...

Then you can mount this file using cryptoloop, just like a partition, via VPN on your system, do a simple rsync backup and no unencrypted data will ever be visible on the remote system.

mount -t cifs -o user=myname //server/share/ /backupdisk
cryptsetup open /backupdisk/.../sdb2.raw s2
mount /dev/mapper/s2 /some/local/dir
rsync...

This will work quite fast even if the filesize is measured in terabytes!

But make sure to keep the necessary credentials even if your home and everything in it is lost...