Another idea for Truecrypt backups on NAS
You may have read my previous post about my pains in trying to get Truecrypt on my laptop to mount a Truecrypt volume on my ‘NAS’. It complains about network issues. To be fair, considering my ‘NAS’ is actually an NTFS USB drive, plugged into a Mac Mini, running NTFS drivers… I’m not too surprised that there’s a glitch somewhere in the stack.
So… I was thinking of getting a NAS to take care of the issue for me. However, it turns out my favoured NAS, Synology – can’t. It uses eCryptFS, but on a file level; this disables access via NFS/CIFS (ie. Windows fileshare), since there’s no way of configuring the encryption on the PC you’re trying to backup from.
I guess there could be a way to enable eCryptFS on the PC you’re backing up, by exporting a key from the Synology (which you can do), and importing it to your PC, so that the PC writes the files to the NAS directly in the encrypted form. That might work on a Linux laptop, but try getting Windows to do that! Via a backup client!?!
And anyway, even if you did that, two problems:
- it disables the NAS interface for those shares anyway
- The key is stored on the NAS – so if it’s configured to be mounted on startup, then it’ll be decrypted anyway with no need for a password
So… what’s the plan?
The plan is this.
Firstly… don’t get the Synology, at least not for this reason. It doesn’t fix the encryption problem itself, although it may at least allow Truecrypt to mount that volume over the network without complaining.
Secondly… set my backup script to run this following process:
- SSH into the Mac Mini (ie. get the script to do this automatically)
- Run Truecrypt natively on MacOS on the Mac Mini. This could potentially include a very strong password or hash in the command – which is stored and run solely from my laptop in the SSH session, and so is not stored locally on the Mac (where someone could find and use it to access the volume, if they stole both Mac and Drive)
- Get it to mount the backup volume
- Get it to share the volume as a network share, so that my laptop can see it as a plain CIFS share
- Run SyncBackSE to backup my laptop drive to this ‘temporarily decrypted’ shared drive
- Once backup has completed, unmount the truecrypt volume
So… this has the following benefits
- SyncBackSE allows commands (inc scripts) to be run before/after backups, and so this SSH command can be part of that
- The Truecrypt volume is mounted locally on the Mac, so it present as a standard share, and won’t suffer any of the weird network connectivity issues from trying to mount the same volume remotely from my laptop
- The credentials or key to open the volume are stored in the script on my laptop.. .which is itself drive-encrypted. So, if someone steals the Mac and Drive, they do not have the password to decrypt the backup. If they steal my laptop, they would need the Windows password to log in and gain access to my drive to get the Truecrypt password…. in which case, since they’re already in my laptop, they already have access to all the data on its drive; no need to decrypt the backups after all.
So – it’ll be some faff with the script, but the payoff is hopefully a more reliable and secure backup.