Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Off-Site Backup for Home Users InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Off-Site Backup for Home Users

Published: 2006-09-10
Last Updated: 2006-09-10 21:04:42 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
A few musings about off-site backup for home users and the usefulness of TrueCrypt...

Off-site backup hasn't been an issue for many home users. Perhaps this is because most people haven't assembled enough critical digital data to justify the effort of implementing off-site backup. They haven't even set up an on-site backup scheme. Many home users may never have to deal with off-site backup at all, considering the increasing popularity of free ASP services, such as Gmail, Bloglines, and Shutterfly, which manage data on the customer's behalf.

This is different for data power users, whose livelihood depends on the availability of their information. Freelance photographers, musicians, accountants, writers, programmers, and other professionals who maintain important files at home fall in this category. They have a vested interest in performing off-site backup in some manner, and they often do so.

For the longest time my off-site backup scheme involved burning by data into DVDs once in a while, and taking the disks to a friend's house. This scheme wasn't effective because:
  1. Backing up my data was too long. It was a manual process and involved too many DVDs.
  2. I kept forgetting to go through the backup procedure on regular basis. Maybe I was just too lazy.
  3. My off-site data quickly became outdated, because my backups were too infrequent.
When looking for a way to overhaul my off-site backup scheme, I considered a few possibilities:
  1. Network-based off-site backup. This method of backing up data wouldn't require me to fiddle with disks, and lends itself well to automation. The bandwidth to implement this scheme is becoming relatively inexpensive, and off-site data storage costs are decreasing. I didn't choose this method because  storage costs were still too high for me, but I think I will want to move to this mechanism in a couple of years. (I'm doing this for my home user persona, so my budget is pretty limited.)
  2. Tape-based off-site backup. Tapes have been the traditional off-site backup mechanism for a while in the corporate world, and have been adopted by some data power users at home. I didn't have enough data to justify investing in a tape drive and I just didn't want to deal with tapes. They would allow me to implement a sophisticated backup scheme, but I wanted something simple, which brought me to the next option...
  3. External hard drive-based off-site backup. External drives are relatively inexpensive and offer high data storage capacity. The largest disk on the market I came across was 750GB. That was way too much for me, plus I wanted a drive with smaller dimensions, so that it would be easy carry it to my off-site location. A laptop form-factor drive with the 180GB capacity fit the bill, although it was more expensive than its desktop form-factor counterpart. I bought the disk enclosure separately from the disk itself to save a few bucks.
Whatever off-site backup scheme suits your needs, be sure to consider how you will protect the data's confidentiality and integrity. Especially if you're shuttling disks from one location to the other, encrypting the disk's contents is something you'll probably want to do. There are many ways to encrypt data nowadays. The utility that appealed to me was TrueCrypt.

TrueCrypt is an open-source program for encrypting disks. It works on Windows and Unix operating systems. It's free and easy to use. It can run off external media without having to go through the installation process. TrueCrypt allows you to create an encrypted volume, either by storing the volume's contents in a file or in a dedicated partition. I selected the latter option.

I split my disk in two partitions. A small non-encrypted partition contained the TrueCrypt program. I formatted the much larger partition using TrueCrypt, so that it would exist as an encrypted volume:

To mount the encrypted volume, use TrueCrypt to select the desired partition and assign the mount point or the drive letter to it. TrueCrypt will prompt you for the password you established when creating the volume:

Once the encrypted volume is mounted, it will be available as a local disk, so you can use any backup or file-copying utilities to populate the partition with data.

Update: In addition to supporting password-only operations, TrueCrypt also allows the user to specify and optionally generate one or more key files. Without the key file, the encrypted volume would be inaccessible. The idea is that the key file would be stored away from the encrypted volume, so that the authorized user needs to present something he knows (the password) and something he has (the key file):

If you'd like to learn more about TrueCrypt, take a look at its documentation and at a December 2005 thread on the Dshield mailing list titled "Requiring a key-pair to mount a volume." There are also a few user testimonies in the comments at Bruce Schneier's blog.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
0 comment(s)
Diary Archives