I’ve been using veracrypt for the past 4 years to create container files in everything from thumb drives to external hard drives. After upgrading one of my backup drives, I decided that I will switch to a different filesystem altogether going on, from ntfs to ext4, since I havent really used windows in those 4 years. With the reasoning behind using veracrypt and ntfs in the first place being for compatibility, should I switch to LUKS? Veracrypt is dramatically more feature rich but I dont really take advantage of those. I just encrypt my drives in case of burglars and other unwanted eyes. I do already have a disaster plan in place so I would have to do a total overhaul of things, but I’m not sure if this is a wise decision. My gut says no but what do you think? What would I gain?

Edit: shouldve added that these drives are for warm storage for my weekly manual backups of files.

Edit 2: the general opinion is to use a tool that supports encryption but I dont really feel comfortable with that but do appreciate it. It’s just I’ve been manually updating my backup drives for a while now and like how simple my routine is. Think my decision is to just stick with veracrypt but format every future drive (including a new one I ordered) as ext4. My current drives wont be reformatted in order to reduce unnecessary wear on them. Thank you all for your help

  • passepartout@feddit.de
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    I’m by no means a security expert, but I encrypt all my drives with LUKS on ext4 (or btrfs with the system drive on Fedora). I have a similar use case to yours, so i would be interested in your disaster plan as you call it.

    • ExtrasOP
      link
      fedilink
      arrow-up
      10
      ·
      edit-2
      1 year ago

      Oh by disaster plan I mean incase of drive failure/my death. Its the 3,2,1 backup rule basically. 1 original backup drive and a copy of it are local in a fire resistant box within a bolted down safe, then an offsite cold copy of my backup drive is at a loved one’s home where backups are manually updated monthly. The more important data is also stored in the cloud with cryptomator just as more insurance for myself. A laminated paper with credentials needed to access the data is stored in 2 places, another loved one’s home in their safe (cloud provider account credentials opted out) with instruction in case I die, and hidden local in case I forget anything.

      • s3rvant@kbin.social
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        This is exactly my backup strategy even using cryptomator for a cloud backup. My PC and kiddos laptops are all linux so have no worries about needing a Windows machine for recovery and even if all systems died I could always use a live distro to boot elsewhere and access my files.

  • GlitzyArmrest@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    edit-2
    1 year ago

    LUKS with LVM is probably what you want to encrypt your “hot” drives with. As for the actual backups, Borg and Duplicacy are great. I personally prefer Duplicacy as I find it much more polished, but Borg is great too. Both include encryption options.

    If you’re concerned about recovering data, you should try recovering now. Make sure your backups are actually working and you can properly recover. You don’t have backups unless you test them.

  • fmstrat@lemmy.nowsci.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    LUKS is a great option, but as someone who was in your exact shoes, and went from TrueCrypt to VeraCrypt to LUKS, I eventually landed on ZFS.

    It’s just so, easy. Make an encrypted Zpool on your main /storage disk. Assign a /storage/documents (or whatever you want), Make another Zpool on your /backup disk, and use zfs snap and send to copy only the bit level data that changes.

    So fast, so little disk access, and you can manage snapshots. There is even copy-on-write meaning file recovery is easy, too. I use it to send over SSH to a remote server, too.

  • The only change I would recommend looking at is using a backup tool like restic, which can encrypt and also provide snapshots. Restic (and ilk, I’m sure) also deduplicate incremental backups, can compress, and (restic, at least) can mount snapshots. That last feature has been so helpful to me, because it allows easy access to individual files in a snapshot.

    Restic also supports a number of cloud storage backends, like BackBlaze, which makes offsite storage hella easier than carting physical media around.

    There are a couple of these sorts of tools, and while I’m most familiar with restic, I’d guess they have similar capability. I’d suspect using one would simplify your set-up.

  • 486@kbin.social
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    I’d choose LUKS over Veracrypt for simplicity. If the drive is solely for backup, depending on the backup tool you use, you might not even need encryption on the file system level. Several backup solutions support data encryption.

  • just_another_person@lemmy.world
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    Is the drive you’re backing up even encrypted? If not, all of this is for nothing.

    LUKS or file-based encryption is fine either way, but you’ll probably have better performance with LUKS.

    • ExtrasOP
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      Yeah the drives of each of my machines are fully encrypted

  • solrize@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    If this is for live disks or mirrors (not backup), LUKS is reasonable. Backup is different from mirroring since one of the things it protects you from is accidentally deleting files. If you delete a file from your main drive, it also disappears from the mirror drive, so mirrors are not backup. For encrypted backup, I’ve been using Borg backup which is quite well thought out, though confusing at first. The backups go on a remote server which is ok since they are all encrypted.