1

I'm in the processes of setting up backups and recovery for my own personal system. Currently a basic tar of the system seems sufficient (in the future I might investigate incremental backups).

As storing a backup on the same machine is not resilient, I would like to be able to store backups on other system. In order to protect privacy I would like these to be encrypted.

Encrypting a file is not too complicated, however if I'm in a scenario where I need a backup I might not have access to the key used to protect the backup.

Which brings me to my question,

Q: How do you manage/store keys used for backups in such a way that you can still access/generate them in the context of complete system failure?

Backing up the key seems circular as it would also need to be encrypted which requires another key with the same issues. I've looked at algorithms like BIP39 which allow for deterministic key generation from a series of words (which as a bonus can be stored on none digital media).

Improve this question
5
  • 2
    Surveys and opinion-based questions don't really work on this site. There are many different options for different requirements. Keys can be printed out or stored in digital form. They can be kept as plaintext or wrapped with another key or passphrase (in which case you must remember the passphrase). They can be physically protected in a safe, a bank vault or some other secure location. They can be split or stored as a single piece of data. And so on. We cannot tell you what is right in your case, nor is the solution somebody else uses automatically useful for you. Commented Oct 22 at 7:22
  • I don't want to ask for "What is the best" or "What works in all cases", I'm more interested in the common building blocks for this sort of problem. There are a lot of algorithms in the space of encryption such as BIP39, Secret sharing, ... ; but I'm not familiar enough with the literature to know which techniques make sense in this context. Perhaps this is indeed a survey of what is commonly used, but due to a lack of alternatives I'm asking the question here. Any pointers to better suited forums are always welcome Commented Oct 22 at 7:33
  • 1
    Even if you had a complete list of building blocks, that still wouldn't tell you what makes sense in your case. It's better to start with the requirements: How critical is it to protect the confidentiality of the data? Would a leak be a minor inconvenience or a catastrophe? Whom do you need to protect the data from? Just ordinary people who can be stopped with a simple locked drawer, or do you expect more motivated attackers? Can you reliably remember a strong passphrase, or do you want the recovery to work even if your memory fails? Commented Oct 22 at 7:49
  • The better you understand your own requirements, the easier it will be to look or ask for suitable solutions. Commented Oct 22 at 7:50
  • Essentially, encrypt your backup with a key you can remember or can recover (e.g. stored on a piece of paper in a safe deposit box). Commented Oct 27 at 18:19

1 Answer 1

Reset to default
0

Backing up your backup encryption key in your backup is a little silly, and misunderstands what an encryption key actually is for, conceptually speaking.

Encryption is about creating a secret (e.g. your password/key/whatever) that you can secure yourself, and by securing your key you indirectly secure all the rest of your data.

  • Encryption isn't magic.

  • Encryption isn't security.

  • Secure your key in order to secure your data.

How do you do that? However you want.

Maybe you can just remember it. Or maybe you can print it out and put it somewhere safe. Maybe you save it on a USB drive and store it a fireproof vault. Maybe you write it on a sticky note next to your monitor.

If this is your personal data, secured just for you, then do whatever you want. Whatever you're comfortable with.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.