This is the scenario. I have a local server in the office that I want to back up programmatically (via a bash script) everyday to an external hard disk that I will bring home.
The data in the hard disk must be encrypted.
I can see three viable solutions for that and I am here to ask your opinions about which one will work best for my case.
solution 1: encrypt each and every file via the backup script before copying it on the hard disk
solution 2: encrypt the entire volume on the HD
solution 3: buy an external hard drive that offers hardware encryption
My goals are:
* the solution should be easy to implement
* I need to be able to copy the entire backup to HD without human intervention (only using a script)
* I need to be able to read the backup on the HD programmatically (there shouldn't be any human entering the password)
* decrypting the files should be fairly quick
* the backup written on HD must be as reliable as possible
Thanks in advance, Daniele
I would suggest using TrueCrypt. You would create one large "container" file on the external hard drive. This file is actually an encrypted hard drive image that can be mounted under /mnt/ (for example).
To back it up, you would unmount the TrueCrypt volume and then simply back up the container file.
TrueCrypt is very robust. We have used it for years on very large file systems. You can also use its command-line program to script it, too.
To evaluate your solutions:
Solution 1: Leaks lots of information about the data on the HD (file names and sizes...)
Solution 2: Requires an encrypted FS and kernel modules in both ends. Handling fully encrypted disks is typically not that fun.
Solution 3: You don't know how good the cypher you buy is. Good cypher is expensive and the HW implementations for HD are often terribly broken and/or slow. You can't copy out the backup without a password (breaks one of your requirements).
My suggestion would be to use dm-crypt or Truecrypt and create a disk image for loop-back mounting. When saving data to the image you will have to enter your password, but you can copy out the file without using a password. You will need a password to decrypt the backup however.
dm-crypt should, on any modern hardware, be faster than your HD.
I would definitely recommend TrueCrypt as well. Version 7 has just come out which vastly speeds up encryption time. You can also create a Travellers Disk. This basically encrypts the disk but allows it to be used on any PC regardless of whether they have truecrypt installed. Very handy. This can be set to manually mount or auto-mount the encrpyted disk depending on you preference.