Hey everyone,
I have a backup server that currently uses LUKS to encrypt data on its devices. I'm considering backing up this data to a remote server (like a VPS or dedicated server). I've come across solutions like gocryptfs and cryfs for this purpose, which seem to encrypt the data before sending it.
I'm curious about the idea of using LUKS on a file instead. My thought process is to create a LUKS device within a file of a specific size, then back up my data, and finally close the device. I want to know what the potential drawbacks are to using LUKS on a file rather than on a regular block device. I've seen many examples online where people use files without any warnings about their method.
From what I understand, one drawback might be that the data could be sent in plain text, but I'm planning on using an encrypted channel like an SSH connection or a VPN for the transfer. Any insights or suggestions would be greatly appreciated!
Thanks in advance!
3 Answers
One major concern with using LUKS for a backup while it's mounted on your server is that anyone with access can potentially see your backup data during that time. With gocryptfs or cryfs, you can prepare the files offline without needing to mount them on the backup server, which protects your data even if that server gets compromised. Essentially, these tools keep your backup secure because the files can be sent without exposing them during transfer.
While you can use LUKS for a file, it's generally not optimized for that purpose. A block device’s architecture is what LUKS is built for. If you’re looking for ease and efficiency, consider using a backup program that has built-in encryption, like Kopia — it makes life a lot easier!
You could certainly use rsync to transfer your data to an encrypted host, and it's been working great for me. Just make sure you understand how your setup handles the encryption during transfer.
What do you mean by 'encrypted host'? Is that just a server that uses SSH, or is there more to it?
Exactly! You nailed it. A mounted LUKS volume could definitely be a vulnerability. Using tools like gocryptfs means you don’t have to worry about your data being accessed while it’s backed up.