Hard-drive Backups to USB drives using Encryption, on Ubuntu

Posted in Uncategorized

Data backups are important. USB sticks with 256GB or more have become affordable, and are a good way for backups. I wanted mine to be encrypted. Since I usually dump my entire home directory to the backup medium (my new USB drive), indiscreet, or, let’s call it sensitive data like passwords and SSH keys will be readable to anyone who finds that drive.

Luks+Ext4

I first tried to format my USB drive with Luks+Ext4 as described in numerous guides. It can easily be done with Ubuntu’s Drives control.

In case you’re using Xubuntu, you need to install this very tool first.

sudo apt install gnome-disk-utility

To format the USB device with Luks I followed this guide and it’s really only a few clicks.

Anyway, I ran my rsync script to backup data to the drive, and it was ridiculously slow. Sometimes rsync would hang for 10-30 seconds, doing nothing.

Even after following this guide and remounting, speed only slightly increased. I have not investigated any further why this is, but a transfer rate of 1MB/sec would’ve taken me about 3 days to backup my home directory. This is – of course – unacceptable.

Encfs

My next attempt was to reformat the drive with Ext4, without encryption, and switch to encfs, which is a user-space encryption without any kernel roundtrips. I remember that being acceptably fast to encrypt directories on my hard drive.

A brief and great tutorial about encfs is here.

I created the local mount point directory and the USB drive encrypted directory, first.

mkdir ~/SanBackupUnencrypted
mkdir /media/nick/USBdrive/SanBackupENCRYPTED

You then need to mount the encrypted device. Hit p when encfs asks you about what mode.

encfs /media/nick/USBdrive/SanBackupENCRYPTED ~/SanBackupUnencrypted

This will create an encrypted file system on the USB drive in the SanBackupENCRYPTED directory. After the backup, you can see a lot of random cryptic filenames and directories here – that’s encfs doing its job.

Encfs with Rsync

To actually backup, I use the following command. Note how I write to the local SanBackupUnencrypted directory, not to the USB drive directly. This will run the files through encfs and encrypt them.

rsync --progress  --update --recursive --times --exclude=.cache --exclude=*/.rvm/ --exclude=Dropbox --exclude=.dropbox-dist /home/nick /home/nick/SanBackupUnencrypted/

This encrypts the data on the USB drive.

Mount Again

Once unmounted and ejected, you need to remount it again for the next backup (hopefully not the restore) and punch in the password you picked earlier.

encfs /media/nick/USBdrive/SanBackupENCRYPTED ~/SanBackupUnencrypted

It’s still slow, but now I have a transfer rate of about 20MB/second, which is 20x faster than with Luks. If you know how to use Luks with a better speed, please let me know.

Published by apotonick

One thought on “Hard-drive Backups to USB drives using Encryption, on Ubuntu

  1. Luks itself is very, very fast if you use AES and have a AES-NI capable cpu. We notice only a very slight io delay compared to non-encrypted disks and almost no difference in throughput:

    root@localhost ~ > grep -ci aes /proc/cpuinfo
8

root@localhost ~ > dd if=/dev/mapper/sda4-decrypted bs=1M count=1024 skip=2048 of=/dev/null
1024+0 Datensätze ein
1024+0 Datensätze aus
1073741824 Bytes (1,1 GB) kopiert, 4,94782 s, 217 MB/s

    encfs is also known for its security flaws: https://en.wikipedia.org/wiki/EncFS#Disadvantages

    Like

    Reply

Leave a comment