I’ve been looking for ways to securely backup my encrypted partitions – what’s the point of having a secure place for your data if the backups are in plain text?!
So instead of having another encrypted partition for backup, say on another machine or disk, I thought I’d use GnuPG 2 to encrypt and sign my backups.
The command would be:
tar -cf directory/ directory.tar gpg2 -ser myuser directory.tar
However, I found nice a nice little utility called Seahorse, which has Nautilus integration that allows you to right-click a directory, and then it tar+bzip2’s (or zips, whatever), encrypts and signs it in one operation, so you go straight from directory/ to directory.tar.pgp, it also does things like SSH key management, GPG signature checking etc.
So now I can include the encrypted data with my normal unencrypted rsync backup regimen, as data that is important enough to be encrypted is definitely important enough to be backed up!
I’ve also setup sudo and SSH keys allowing me to rsync privileged files from one machine on the LAN (desktop) to another (fileserver). I found that to allow the SSH keyserver to forward your keystore to another user i.e. to the root user when using sudo, you have to add the following to /etc/sudoers:
Defaults env_keep += "SSH_AUTH_SOCK" myuser ALL=NOPASSWD:/usr/bin/rsync
Then to do the backup as root, but using your unprivileged user’s SSH key, as we don’t allow root SSH, you run the rsync command (over SSH, not rsync protocol) like this, for backing up /etc:
sudo rsync -ae "ssh -i /home/myuser/.ssh/id_rsa" \ --rsync-path="sudo rsync" firstname.lastname@example.org:/etc/ /backups/etc/
Of course you’ve then got the problem of how to backup your GPG/SSH private keys, without which you couldn’t decrypt the backups, or run the rsync. I guess they’re safe to be backed up unencrypted as they have good passphrases, and are already encrypted themselves.