I’m planning to setup backup on my nas with the 3-2-1 backup rule.
For the backup disks I want full disk encryption, but I also want to be really sure that I don’t lose the encryption keys if I lose my phone and computer where I have my password manager.
What is a good practice to store the encryption key(s)?
One thought I had was to have an unencrypted partition on the backup disks that stores an encrypted keepass database with the key.
Any tips or experiences are welcome.
PS. I want to avoid cloud-based options.
You must log in or # to comment.
Buy a physical safe. Encrypt a flash drive using a 128bit pass phrase that you memorize.
Combine with a ubikey storing a 256bit password that is stored somewhere hard to get to
For the backup disks I want full disk encryption
I encrypt everything.
I have a repository set up with all my keys for all my encrypted drives. The keys get rar’d with a strong, known, 50 character password, and the filenames encrypted so no one can just open the rar file and gaze at the keys.
- drive_xxxxx1_2_14_26.rar
- drive_xxxxx2_2_14_26.rar
- drive_xxxxx3_2_14_26.rar
These get backed up in a 3,2,1 schema, and also to thumb drives stored in secure places. I also rotate the passwords on a regular basis, so the process starts all over again.
- Check keys:
sudo cryptsetup luksDump /dev/sdX - Add new key:
sudo cryptsetup luksAddKey /dev/sdX - Delete old key:
sudo cryptsetup luksRemoveKey /dev/sdX - Verify keys:
sudo cryptsetup luksDump /dev/sdX
The headers are not secret. Anyone with physical, read access to the device can run
luksDump. It reveals algorithm, key derivation parameters, number of keys, but not the passphrase or master key.As far as ‘best practice’, that will be determined by subsequent replies to your post. LOL That’s just how I do it.
