Off-Site Backup Part 2 – Security
Overview
The second part to off site backup goes into the tools. For the concept and background to this please see
Physical
First consideration was security. You have to remember the physical and logical security required. For starters the place you’re leaving the physical drive.
Does it need to be in a bank vault or leaving it on a shelf at a friends place ok? These are probably the 2 extremes and most people would probably fall into the middle. Some deterrent is good to have so I use an old suitcase that has a combination lock on it. It’s not bullet proof but stops opportunists from simply access the drive. Another element is knowing when it’s been tampered with (hopefully).
Software
The logical security is another layer to data on the drive. Fortunately, Windows, Linux and Mac include encryption software for drives. I believe those are tied to the Operating System(OS) so in order to restore those backups, you’ll need Mac or Windows to decrypt the drive again for example. Also accessing the backup using a different OS would be useful in case you no longer have the same device anymore.
Personally, I use 2 main OSes: Windows and Linux. A bonus would be using Android when needed but that’s a topic for another day. I went with TrueCrypt and now switched to VeraCrupt. The software is cross platform although I have shamefully not tested that yet but the option is there.
VeraCrypt
VeraCrypt on Windows has a user interface to create and manage encryption volumes. How to create an encrypted volume is beyond this post and more details can be found online such as here.
There’s a PPA to install on Ubuntu / Debian here. It mounts drives including NTFS partition and able to access the files. I can’t confirm the stability though.
Favourites
Set up favourite disks so they can be easily be mounted using shortcuts (see below). To do so, mount the volume or drive as per normal in veracrypt.
The go to Favorites > Add Mounted Volume To Favourites… menu. Add a label to make it easier to recognise but all other options are optional.
Shortcuts
The drives are manually unlocked and locked. I see this as a possible security hole if the drive is unlocked for long periods of time so I only unlock it when I backup and relock it when it’s done. To make this as easy as possible I have shortcut keys to do both. When the encrypted volume is mounted to a drive letter, the backup software sees this and starts the file copy process automatically. I haven’t been able to find a way to automatically unmount the drive once the jobs have completed so there’s another shortcut key for that too.
A shortcut to mounting favorited volumes can be created by using /auto favorites /quit parameters. If VeraCrypt was installed in the windows default location then it may look something like this:
@ "C:\Program Files\VeraCrypt\VeraCrypt.exe" /auto favorites /quit
@ “C:\Program Files\VeraCrypt\VeraCrypt.exe” is the VeraCrypt program.
/auto favorites automatically mount favorites
/quit exit command line window
Put the above text into a text file and save it as .bat file.
To unmount all mounted and unlocked volumes this can be achieved using /d parameter so:
@ "C:\Program Files\VeraCrypt\VeraCrypt.exe" /d /quit.
Examples can be found and downloaded here.
Summary
All the functions help to make security aspects of the off site back as easy as possible. Reducing the impediments or friction to backup is key to making sure backups are run as often as possible with as little excuse for not doing. Similar to exercise…
VeraCrypt
VeraCrypt Command Line Usage
