Comment on Storing encryption keys for backup drives
irmadlad@lemmy.world 5 days ago
For the backup disks I want full disk encryption
I encrypt everything.
I have a repository set up with all my keys for all my encrypted drives. The keys get rar’d with a strong, known, 50 character password, and the filenames encrypted so no one can just open the rar file and gaze at the keys.
- drive_xxxxx1_2_14_26.rar
- drive_xxxxx2_2_14_26.rar
- drive_xxxxx3_2_14_26.rar
These get backed up in a 3,2,1 schema, and also to thumb drives stored in secure places. I also rotate the passwords on a regular basis, so the process starts all over again.
- Check keys:
sudo cryptsetup luksDump /dev/sdX - Add new key:
sudo cryptsetup luksAddKey /dev/sdX - Delete old key:
sudo cryptsetup luksRemoveKey /dev/sdX - Verify keys:
sudo cryptsetup luksDump /dev/sdX
The headers are not secret. Anyone with physical, read access to the device can run luksDump. It reveals algorithm, key derivation parameters, number of keys, but not the passphrase or master key.
As far as ‘best practice’, that will be determined by subsequent replies to your post. LOL That’s just how I do it.
ki9@lemmy.gf4.pw 5 days ago
You can dettach your headers with
–header.I’ve started putting the header and key on my boot partition on a USB key. Without the usb, the hard drives appear to be filled only with random data (plausible deniability). After booting, the USB can be removed to prepare for a panic shutdown.
irmadlad@lemmy.world 5 days ago
I did not know this. That would seem, abiding by your system, to be more secure. I will have to investigate.
Thanks for sharing.