Data backups are important. USB sticks with 256GB or more have become affordable, and are a good way for backups. I wanted mine to be encrypted. Since I usually dump my entire home directory to the backup medium (my new USB drive), indiscreet, or, let’s call it sensitive data like passwords and SSH keys will be readable to anyone who finds that drive.
Luks+Ext4
I first tried to format my USB drive with Luks+Ext4 as described in numerous guides. It can easily be done with Ubuntu’s Drives control.
In case you’re using Xubuntu, you need to install this very tool first.
sudo apt install gnome-disk-utility
To format the USB device with Luks I followed this guide and it’s really only a few clicks.
Anyway, I ran my rsync
script to backup data to the drive, and it was ridiculously slow. Sometimes rsync
would hang for 10-30 seconds, doing nothing.
Even after following this guide and remounting, speed only slightly increased. I have not investigated any further why this is, but a transfer rate of 1MB/sec would’ve taken me about 3 days to backup my home directory. This is – of course – unacceptable.
Encfs
My next attempt was to reformat the drive with Ext4, without encryption, and switch to encfs
, which is a user-space encryption without any kernel roundtrips. I remember that being acceptably fast to encrypt directories on my hard drive.
A brief and great tutorial about encfs is here.
I created the local mount point directory and the USB drive encrypted directory, first.
mkdir ~/SanBackupUnencrypted mkdir /media/nick/USBdrive/SanBackupENCRYPTED
You then need to mount the encrypted device. Hit p
when encfs
asks you about what mode.
encfs /media/nick/USBdrive/SanBackupENCRYPTED ~/SanBackupUnencrypted
This will create an encrypted file system on the USB drive in the SanBackupENCRYPTED
directory. After the backup, you can see a lot of random cryptic filenames and directories here – that’s encfs
doing its job.
Encfs with Rsync
To actually backup, I use the following command. Note how I write to the local SanBackupUnencrypted
directory, not to the USB drive directly. This will run the files through encfs
and encrypt them.
rsync --progress --update --recursive --times --exclude=.cache --exclude=*/.rvm/ --exclude=Dropbox --exclude=.dropbox-dist /home/nick /home/nick/SanBackupUnencrypted/
This encrypts the data on the USB drive.
Mount Again
Once unmounted and ejected, you need to remount it again for the next backup (hopefully not the restore) and punch in the password you picked earlier.
encfs /media/nick/USBdrive/SanBackupENCRYPTED ~/SanBackupUnencrypted
It’s still slow, but now I have a transfer rate of about 20MB/second, which is 20x faster than with Luks. If you know how to use Luks with a better speed, please let me know.
Luks itself is very, very fast if you use AES and have a AES-NI capable cpu. We notice only a very slight io delay compared to non-encrypted disks and almost no difference in throughput:
encfs is also known for its security flaws: https://en.wikipedia.org/wiki/EncFS#Disadvantages
LikeLike