The Best Three Linux Encryption and Backup Tools
Tuesday January 24, 2017
If the data you store on your server or other service is important to you, likely you’d prefer it not ending up in the hands of others. If so you should use the power of cryptography. There are many options to choose from whether you’re running Windows, Linux or BSD but we’ll be focusing on my favorite Linux based tools for now. You can choose from encrypting parts of your filesystem to encrypting an entire block device. Depending on what you prefer it’s relatively easy to do if you’re even a little familiar with Linux and can follow tutorials. It doesn’t require you to be a mathematician or cryptography expert.
As a sysadmin, here are my top Linux encryption and backup tools:
One of my personal favorites for filesystem encryption is EncFS. It allows you to easily setup encrypted directories which is incredibly useful for storing off-site backups on systems that you don’t necessarily trust.
For example, you could have plain-text website backups dumped to /backups and then setup EncFS to encrypt that data to /encrypted-backups. You’d then be able to use tools like rsync or rclone to move the data somewhere else, even onto a system that you don’t trust.
Keep in mind, if you don’t have a complex/strong password, your encrypted data is likely unsafe. In the event that you lose data on your local system, you could rsync/rclone the data from /encrypted-backups and mount it again via FUSE as long as youe the original password you encrypted the data with.
If you’re familiar with GPG, Duplicity is a great tool to use for encrypted remote/local compressed backups with many features. It’s meant to be a tool for backing up specified directories in increments to save space, but can also be used to perform full backups each time.
With Duplicity you’ll need to create a GPG key and protect it with a strong password. You can then use that key with Duplicity to encrypt and sign the backups. Just like with EncFS, you can use rsync, rclone or another tool to transfer the encrypted ups off-site. The best implementation of Duplicity that I’ve found is backupninja, allowing you to create multiple backup actions with an easy-to-use configuration.
Another option is to encrypt your entire block device with dm-crypt + LUKS. Using this tool, all of the data on the block device is encrypted and even someone with local access cannot decipher it.
There are few exceptions to this. For instance, if the attacker has your root password or can read from memory via a cold boot attack when the system is powered on, then it would be possible to either simply login or grab the encryption keys from memory. What’s neat about dm-crypt + LUKS is that you can also set it up remotely on your server if you have access to IPMI and you boot a recovery image.
Once setup, you can make it prompt you via SSH for a password when the server boots instead of having to type it in locally. LUKS only protects you completely from unauthorized local access when your system is powered off, which is likely what the attacker must do. It’s unlikely that your data can be deciphered if you have a strong password. If someone were to compromise your system while the encrypted volume is mounted, you are in trouble.