Backup on an unsafe Target
The easy way... Situation: you want to have a backup of your confidential data away from home, on a server not under your control, if your home system is no longer available (crash, theft, fire...)
Solution
Let's assume, you have an encrypted partition containing classified information and you want to back it up.
Now you've made an agreement with a friend (or a branch office of your company or... any server not under your control). You have a server in your basement an he also has one at his site. He offers you an amount of disk space on his server over VPN for your needs (and you may offer him the same).
Now you might create an encrypted partition there, copy your data on it and no intruder or burglar could ever read it.
But while a backup is running (or you are reading from it), you would have to mount it somewhere on your friend's server. During that time, your friend, being an administrator there, could read it and might get access to details you don't want to share, not even with your friend.
The better solution
My solution is to initially copy the encrypted partition to a file on the remote system, using e.g.
The copy may take quite some time (depending on the size of your partition and the bandwith of both endpoints), but it is worth while.
Maybe the use of an USB stick (or another fast media) can speed up this initial step.
So, not hard to guess, the encrypted volume should not be unnecessarily big, but for the following the size does not really matter.
You do not need shell access to the remote system for this what makes it easier for your friend. SMB or NFS access is enough, just like for any other user of his system.
I created this partition using something like
cryptsetup open /dev/sdb2 s2
mkfs.ext4 /dev/mapper/s2
mount /dev/mapper/s2 /your/mountpoint
Then you can mount this file using cryptoloop, just like a partition, via VPN on your system, do a simple rsync backup and no unencrypted data will ever be visible on the remote system.
cryptsetup open /backupdisk/.../sdb2.raw s2
mount /dev/mapper/s2 /some/local/dir
rsync...
This will work quite fast even if the filesize is measured in terabytes!
But make sure to keep the necessary credentials even if your home and everything in it is lost...