Encrypting a currently used external hard drive such that it can be updated with rsync?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I currently have an unencrypted external hard drive that I use as a backup for my encrypted (with LUKS) main machine. To update my backup, I simply log in to the main machine and rsync to my external hard drive. Clearly, having an unencrypted backup for material that was worth encrypting in the first place is a bad idea. However, due to time constraints, I am unable to regularly update my backup without the help of something like rsync. It follows that any encryption method that I use on the external drive must be compatible with rsync. However, I have ran in to the following issues:
- Userspace stackable encryption methods like EncFS or eCryptfs appear to both take up a lot of space and not play nice with rsync. The hidden files reponsible for the encryption seem to change frequently enough that rsync ends up having to copy so many files that it's barely worth even using rsync.
- luksipc would be an option, but it's latest documentation tells me to instead use the the cryptsetup-reencrypt tool from dm-crypt. Sadly, whenever I look up the relevant documentation on the arch wiki for cryptsetup-reencrypt I can neither tell what to do, nor if it'll work with rsync. The cryptsetup-reencrypt tool also seems to be new enough that it's hard to find doccumentation on it that someone at my level can read.
- Plain LUKS, or anything similar isn't an option, because the earlier mentioned time constraints prevent me from being able to wipe the drive and make the backup again from scratch.
- Duplicity could be an option, but it doesn't seem able to encrypt any unencrypted files that are on the external hard drive (i.e. where it's copying to).
Overall, it looks like #2 might be my best option for the goal of encrypting my external drive and keeping that drive up to date with rsync, but I don't really know where to begin and I'm not very open to the possibility that I might have to wipe the drive before encrypting it. Am I missing anything useful?
rsync encryption external-hdd dm-crypt ecryptfs
add a comment |
I currently have an unencrypted external hard drive that I use as a backup for my encrypted (with LUKS) main machine. To update my backup, I simply log in to the main machine and rsync to my external hard drive. Clearly, having an unencrypted backup for material that was worth encrypting in the first place is a bad idea. However, due to time constraints, I am unable to regularly update my backup without the help of something like rsync. It follows that any encryption method that I use on the external drive must be compatible with rsync. However, I have ran in to the following issues:
- Userspace stackable encryption methods like EncFS or eCryptfs appear to both take up a lot of space and not play nice with rsync. The hidden files reponsible for the encryption seem to change frequently enough that rsync ends up having to copy so many files that it's barely worth even using rsync.
- luksipc would be an option, but it's latest documentation tells me to instead use the the cryptsetup-reencrypt tool from dm-crypt. Sadly, whenever I look up the relevant documentation on the arch wiki for cryptsetup-reencrypt I can neither tell what to do, nor if it'll work with rsync. The cryptsetup-reencrypt tool also seems to be new enough that it's hard to find doccumentation on it that someone at my level can read.
- Plain LUKS, or anything similar isn't an option, because the earlier mentioned time constraints prevent me from being able to wipe the drive and make the backup again from scratch.
- Duplicity could be an option, but it doesn't seem able to encrypt any unencrypted files that are on the external hard drive (i.e. where it's copying to).
Overall, it looks like #2 might be my best option for the goal of encrypting my external drive and keeping that drive up to date with rsync, but I don't really know where to begin and I'm not very open to the possibility that I might have to wipe the drive before encrypting it. Am I missing anything useful?
rsync encryption external-hdd dm-crypt ecryptfs
1
What's the problem with just unlocking the LUKS partition, mounting it, and then running rsync?
– Xen2050
Mar 17 at 16:24
@Xen2050 The only LUKS partition that I have is on my main machine. Copying an unlocked version of that on to my external drive is what I'm already doing, i.e. a method resulting in unencrypted output.
– J. Mini
Mar 17 at 16:38
add a comment |
I currently have an unencrypted external hard drive that I use as a backup for my encrypted (with LUKS) main machine. To update my backup, I simply log in to the main machine and rsync to my external hard drive. Clearly, having an unencrypted backup for material that was worth encrypting in the first place is a bad idea. However, due to time constraints, I am unable to regularly update my backup without the help of something like rsync. It follows that any encryption method that I use on the external drive must be compatible with rsync. However, I have ran in to the following issues:
- Userspace stackable encryption methods like EncFS or eCryptfs appear to both take up a lot of space and not play nice with rsync. The hidden files reponsible for the encryption seem to change frequently enough that rsync ends up having to copy so many files that it's barely worth even using rsync.
- luksipc would be an option, but it's latest documentation tells me to instead use the the cryptsetup-reencrypt tool from dm-crypt. Sadly, whenever I look up the relevant documentation on the arch wiki for cryptsetup-reencrypt I can neither tell what to do, nor if it'll work with rsync. The cryptsetup-reencrypt tool also seems to be new enough that it's hard to find doccumentation on it that someone at my level can read.
- Plain LUKS, or anything similar isn't an option, because the earlier mentioned time constraints prevent me from being able to wipe the drive and make the backup again from scratch.
- Duplicity could be an option, but it doesn't seem able to encrypt any unencrypted files that are on the external hard drive (i.e. where it's copying to).
Overall, it looks like #2 might be my best option for the goal of encrypting my external drive and keeping that drive up to date with rsync, but I don't really know where to begin and I'm not very open to the possibility that I might have to wipe the drive before encrypting it. Am I missing anything useful?
rsync encryption external-hdd dm-crypt ecryptfs
I currently have an unencrypted external hard drive that I use as a backup for my encrypted (with LUKS) main machine. To update my backup, I simply log in to the main machine and rsync to my external hard drive. Clearly, having an unencrypted backup for material that was worth encrypting in the first place is a bad idea. However, due to time constraints, I am unable to regularly update my backup without the help of something like rsync. It follows that any encryption method that I use on the external drive must be compatible with rsync. However, I have ran in to the following issues:
- Userspace stackable encryption methods like EncFS or eCryptfs appear to both take up a lot of space and not play nice with rsync. The hidden files reponsible for the encryption seem to change frequently enough that rsync ends up having to copy so many files that it's barely worth even using rsync.
- luksipc would be an option, but it's latest documentation tells me to instead use the the cryptsetup-reencrypt tool from dm-crypt. Sadly, whenever I look up the relevant documentation on the arch wiki for cryptsetup-reencrypt I can neither tell what to do, nor if it'll work with rsync. The cryptsetup-reencrypt tool also seems to be new enough that it's hard to find doccumentation on it that someone at my level can read.
- Plain LUKS, or anything similar isn't an option, because the earlier mentioned time constraints prevent me from being able to wipe the drive and make the backup again from scratch.
- Duplicity could be an option, but it doesn't seem able to encrypt any unencrypted files that are on the external hard drive (i.e. where it's copying to).
Overall, it looks like #2 might be my best option for the goal of encrypting my external drive and keeping that drive up to date with rsync, but I don't really know where to begin and I'm not very open to the possibility that I might have to wipe the drive before encrypting it. Am I missing anything useful?
rsync encryption external-hdd dm-crypt ecryptfs
rsync encryption external-hdd dm-crypt ecryptfs
edited Mar 20 at 23:25
J. Mini
asked Mar 17 at 16:09
J. MiniJ. Mini
111
111
1
What's the problem with just unlocking the LUKS partition, mounting it, and then running rsync?
– Xen2050
Mar 17 at 16:24
@Xen2050 The only LUKS partition that I have is on my main machine. Copying an unlocked version of that on to my external drive is what I'm already doing, i.e. a method resulting in unencrypted output.
– J. Mini
Mar 17 at 16:38
add a comment |
1
What's the problem with just unlocking the LUKS partition, mounting it, and then running rsync?
– Xen2050
Mar 17 at 16:24
@Xen2050 The only LUKS partition that I have is on my main machine. Copying an unlocked version of that on to my external drive is what I'm already doing, i.e. a method resulting in unencrypted output.
– J. Mini
Mar 17 at 16:38
1
1
What's the problem with just unlocking the LUKS partition, mounting it, and then running rsync?
– Xen2050
Mar 17 at 16:24
What's the problem with just unlocking the LUKS partition, mounting it, and then running rsync?
– Xen2050
Mar 17 at 16:24
@Xen2050 The only LUKS partition that I have is on my main machine. Copying an unlocked version of that on to my external drive is what I'm already doing, i.e. a method resulting in unencrypted output.
– J. Mini
Mar 17 at 16:38
@Xen2050 The only LUKS partition that I have is on my main machine. Copying an unlocked version of that on to my external drive is what I'm already doing, i.e. a method resulting in unencrypted output.
– J. Mini
Mar 17 at 16:38
add a comment |
1 Answer
1
active
oldest
votes
I think I see the main problem now, it's just:
"How do I encrypt a drive that already has data on it?"
There's only one safe answer, whether you're using LUKS or eCryptFS or EncFS, or basically anything:
- Backup the data somewhere else
- Encrypt the drive (erasing / overwriting the now backed up existing data on it)
- Copy the data to the now encrypted drive
- Verify that you can decrypt (unlock) the drive, and that the data is unchanged
For your case, if you wanted to use LUKS on the backup drive, and if the backup drive is less than half full, you could:
- create a free partition in half the drive
- encrypt the free partition with LUKS
- copy your data from the unencrypted partition to the LUKS partition
- delete the unencrypted partition
- then expand the LUKS partition over the entire drive...
BUT one of those partition shrinking & enlarging operations will most likely require moving data, and to be safe you should have a backup first, so you're stuck with just doing the earlier "Backup the data" step anyway.
The same goes if you're considering a LUKS encrypt-in-place solution (lukspic or cryptsetup-reencrypt) - if it's important data, have a backup first.
- Since this is already a backup drive, you might be able to use the original drive as a pseudo-backup, and just erase the whole drive, use LUKS, and then make a fresh backup from the original drive
Or, if you don't care if the data were to get deleted, then go ahead and try an encrypt-in-place solution, or move partitions back & forth, just don't be shocked if something goes wrong & everything gets deleted.
I've made an edit to reflect this, but you've missed something - the reason why I'm using rsync is because my time constraints prevent me from making a new backup from scratch. However, if memory serves my recent modifications to my backup has rendered the backup drive less than half full, so your answer might be usable.
– J. Mini
Mar 20 at 23:26
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506832%2fencrypting-a-currently-used-external-hard-drive-such-that-it-can-be-updated-with%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think I see the main problem now, it's just:
"How do I encrypt a drive that already has data on it?"
There's only one safe answer, whether you're using LUKS or eCryptFS or EncFS, or basically anything:
- Backup the data somewhere else
- Encrypt the drive (erasing / overwriting the now backed up existing data on it)
- Copy the data to the now encrypted drive
- Verify that you can decrypt (unlock) the drive, and that the data is unchanged
For your case, if you wanted to use LUKS on the backup drive, and if the backup drive is less than half full, you could:
- create a free partition in half the drive
- encrypt the free partition with LUKS
- copy your data from the unencrypted partition to the LUKS partition
- delete the unencrypted partition
- then expand the LUKS partition over the entire drive...
BUT one of those partition shrinking & enlarging operations will most likely require moving data, and to be safe you should have a backup first, so you're stuck with just doing the earlier "Backup the data" step anyway.
The same goes if you're considering a LUKS encrypt-in-place solution (lukspic or cryptsetup-reencrypt) - if it's important data, have a backup first.
- Since this is already a backup drive, you might be able to use the original drive as a pseudo-backup, and just erase the whole drive, use LUKS, and then make a fresh backup from the original drive
Or, if you don't care if the data were to get deleted, then go ahead and try an encrypt-in-place solution, or move partitions back & forth, just don't be shocked if something goes wrong & everything gets deleted.
I've made an edit to reflect this, but you've missed something - the reason why I'm using rsync is because my time constraints prevent me from making a new backup from scratch. However, if memory serves my recent modifications to my backup has rendered the backup drive less than half full, so your answer might be usable.
– J. Mini
Mar 20 at 23:26
add a comment |
I think I see the main problem now, it's just:
"How do I encrypt a drive that already has data on it?"
There's only one safe answer, whether you're using LUKS or eCryptFS or EncFS, or basically anything:
- Backup the data somewhere else
- Encrypt the drive (erasing / overwriting the now backed up existing data on it)
- Copy the data to the now encrypted drive
- Verify that you can decrypt (unlock) the drive, and that the data is unchanged
For your case, if you wanted to use LUKS on the backup drive, and if the backup drive is less than half full, you could:
- create a free partition in half the drive
- encrypt the free partition with LUKS
- copy your data from the unencrypted partition to the LUKS partition
- delete the unencrypted partition
- then expand the LUKS partition over the entire drive...
BUT one of those partition shrinking & enlarging operations will most likely require moving data, and to be safe you should have a backup first, so you're stuck with just doing the earlier "Backup the data" step anyway.
The same goes if you're considering a LUKS encrypt-in-place solution (lukspic or cryptsetup-reencrypt) - if it's important data, have a backup first.
- Since this is already a backup drive, you might be able to use the original drive as a pseudo-backup, and just erase the whole drive, use LUKS, and then make a fresh backup from the original drive
Or, if you don't care if the data were to get deleted, then go ahead and try an encrypt-in-place solution, or move partitions back & forth, just don't be shocked if something goes wrong & everything gets deleted.
I've made an edit to reflect this, but you've missed something - the reason why I'm using rsync is because my time constraints prevent me from making a new backup from scratch. However, if memory serves my recent modifications to my backup has rendered the backup drive less than half full, so your answer might be usable.
– J. Mini
Mar 20 at 23:26
add a comment |
I think I see the main problem now, it's just:
"How do I encrypt a drive that already has data on it?"
There's only one safe answer, whether you're using LUKS or eCryptFS or EncFS, or basically anything:
- Backup the data somewhere else
- Encrypt the drive (erasing / overwriting the now backed up existing data on it)
- Copy the data to the now encrypted drive
- Verify that you can decrypt (unlock) the drive, and that the data is unchanged
For your case, if you wanted to use LUKS on the backup drive, and if the backup drive is less than half full, you could:
- create a free partition in half the drive
- encrypt the free partition with LUKS
- copy your data from the unencrypted partition to the LUKS partition
- delete the unencrypted partition
- then expand the LUKS partition over the entire drive...
BUT one of those partition shrinking & enlarging operations will most likely require moving data, and to be safe you should have a backup first, so you're stuck with just doing the earlier "Backup the data" step anyway.
The same goes if you're considering a LUKS encrypt-in-place solution (lukspic or cryptsetup-reencrypt) - if it's important data, have a backup first.
- Since this is already a backup drive, you might be able to use the original drive as a pseudo-backup, and just erase the whole drive, use LUKS, and then make a fresh backup from the original drive
Or, if you don't care if the data were to get deleted, then go ahead and try an encrypt-in-place solution, or move partitions back & forth, just don't be shocked if something goes wrong & everything gets deleted.
I think I see the main problem now, it's just:
"How do I encrypt a drive that already has data on it?"
There's only one safe answer, whether you're using LUKS or eCryptFS or EncFS, or basically anything:
- Backup the data somewhere else
- Encrypt the drive (erasing / overwriting the now backed up existing data on it)
- Copy the data to the now encrypted drive
- Verify that you can decrypt (unlock) the drive, and that the data is unchanged
For your case, if you wanted to use LUKS on the backup drive, and if the backup drive is less than half full, you could:
- create a free partition in half the drive
- encrypt the free partition with LUKS
- copy your data from the unencrypted partition to the LUKS partition
- delete the unencrypted partition
- then expand the LUKS partition over the entire drive...
BUT one of those partition shrinking & enlarging operations will most likely require moving data, and to be safe you should have a backup first, so you're stuck with just doing the earlier "Backup the data" step anyway.
The same goes if you're considering a LUKS encrypt-in-place solution (lukspic or cryptsetup-reencrypt) - if it's important data, have a backup first.
- Since this is already a backup drive, you might be able to use the original drive as a pseudo-backup, and just erase the whole drive, use LUKS, and then make a fresh backup from the original drive
Or, if you don't care if the data were to get deleted, then go ahead and try an encrypt-in-place solution, or move partitions back & forth, just don't be shocked if something goes wrong & everything gets deleted.
answered Mar 20 at 19:11
Xen2050Xen2050
1,359914
1,359914
I've made an edit to reflect this, but you've missed something - the reason why I'm using rsync is because my time constraints prevent me from making a new backup from scratch. However, if memory serves my recent modifications to my backup has rendered the backup drive less than half full, so your answer might be usable.
– J. Mini
Mar 20 at 23:26
add a comment |
I've made an edit to reflect this, but you've missed something - the reason why I'm using rsync is because my time constraints prevent me from making a new backup from scratch. However, if memory serves my recent modifications to my backup has rendered the backup drive less than half full, so your answer might be usable.
– J. Mini
Mar 20 at 23:26
I've made an edit to reflect this, but you've missed something - the reason why I'm using rsync is because my time constraints prevent me from making a new backup from scratch. However, if memory serves my recent modifications to my backup has rendered the backup drive less than half full, so your answer might be usable.
– J. Mini
Mar 20 at 23:26
I've made an edit to reflect this, but you've missed something - the reason why I'm using rsync is because my time constraints prevent me from making a new backup from scratch. However, if memory serves my recent modifications to my backup has rendered the backup drive less than half full, so your answer might be usable.
– J. Mini
Mar 20 at 23:26
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506832%2fencrypting-a-currently-used-external-hard-drive-such-that-it-can-be-updated-with%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
What's the problem with just unlocking the LUKS partition, mounting it, and then running rsync?
– Xen2050
Mar 17 at 16:24
@Xen2050 The only LUKS partition that I have is on my main machine. Copying an unlocked version of that on to my external drive is what I'm already doing, i.e. a method resulting in unencrypted output.
– J. Mini
Mar 17 at 16:38