Off-Site Backup Part 2 – Security

Overview

The second part to off site backup goes into the tools. For the concept and background to this please see 

Physical

First consideration was security. You have to remember the physical and logical security required. For starters the place you’re leaving the physical drive.

Does it need to be in a bank vault or leaving it on a shelf at a friends place ok? These are probably the 2 extremes and most people would probably fall into the middle. Some deterrent is good to have so I use an old suitcase that has a combination lock on it. It’s not bullet proof but stops opportunists from simply access the drive. Another element is knowing when it’s been tampered with (hopefully).

Software

The logical security is another layer to data on the drive. Fortunately, Windows, Linux and Mac include encryption software for drives. I believe those are tied to the Operating System(OS) so in order to restore those backups, you’ll need Mac or Windows to decrypt the drive again for example. Also accessing the backup using a different OS would be useful in case you no longer have the same device anymore.

Personally, I use 2 main OSes: Windows and Linux. A bonus would be using Android when needed but that’s a topic for another day. I went with TrueCrypt and now switched to VeraCrupt. The software is cross platform although I have shamefully not tested that yet but the option is there.

VeraCrypt

VeraCrypt on Windows has a user interface to create and manage encryption volumes. How to create an encrypted volume is beyond this post and more details can be found online such as here.

There’s a PPA to install on Ubuntu / Debian here. It mounts drives including NTFS partition and able to access the files. I can’t confirm the stability though.

Favourites

Set up favourite disks so they can be easily be mounted using shortcuts (see below). To do so, mount the volume or drive as per normal in veracrypt.

The go to Favorites > Add Mounted Volume To Favourites… menu. Add a label to make it easier to recognise but all other options are optional.

Shortcuts

The drives are manually unlocked and locked. I see this as a possible security hole if the drive is unlocked for long periods of time so I only unlock it when I backup and relock it when it’s done. To make this as easy as possible I have shortcut keys to do both. When the encrypted volume is mounted to a drive letter, the backup software sees this and starts the file copy process automatically. I haven’t been able to find a way to automatically unmount the drive once the jobs have completed so there’s another shortcut key for that too.

A shortcut to mounting favorited volumes can be created by using /auto favorites /quit parameters. If VeraCrypt was installed in the windows default location then it may look something like this:
@ "C:\Program Files\VeraCrypt\VeraCrypt.exe" /auto favorites /quit
@ “C:\Program Files\VeraCrypt\VeraCrypt.exe” is the VeraCrypt program.
/auto favorites automatically mount favorites
/quit exit command line window

Put the above text into a text file and save it as .bat file.

To unmount all mounted and unlocked volumes this can be achieved using /d parameter so:
@ "C:\Program Files\VeraCrypt\VeraCrypt.exe" /d /quit.

Examples can be found and downloaded here.

Summary

All the functions help to make security aspects of the off site back as easy as possible. Reducing the impediments or friction to backup is key to making sure backups are run as often as possible with as little excuse for not doing. Similar to exercise…

VeraCrypt
VeraCrypt Command Line Usage

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Security, Workflow and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *.

All comments must go through an approval and anti-spam process before appearing on the website. Please be patience and do not re-submit your comment if it does not appear.

This site uses Akismet to reduce spam. Learn how your comment data is processed.