Encrypted Simplicity

With TrueCrypt’s recent issues I have once again redone the way I handle encryption, replication, and backup.

Encryption

For encryption I am using encfs (installed via home-brew). This is fast, efficient, secure, file based encryption (so it works well for syncing).

Sync

For syncing I am using BtSync. It is free, open source, multi-platform, and works well.

~/Documents/ – Non-secure syncing of the documents folder on all my machines.

~/.crypt/ – Secure (enfs) encrypted files directory.

~/iPhone-photos/ – Unencrypted iPhone photos (sync’d whenever phone is on wifi – i prefer this over apple’s iCloud photo sync).

~/.ssh/ – Syncing password encrypted ssh private (and public) key pairs.

Backup

Using the Time Backup utility of Synology NAS I backup my documents, ssh, and encrypted files hourly to an external USB drive, maintaining many historical versions of each file incase something bad happens.

I also have traded BtSync read-only keys with a few friends to increase the number of copies of each file that is available in the BtSync cloud, this provides redundancy as well as speed in syncing.

SSH-Keys

Using ssh-add -K <path> in OS X I have managed to automate authentication to most of my remote servers.

Privacy in 2014

For 2014 I’ve decided that I’m going to be much more security conscious.

E-mail

A couple years ago in search of better push support on iDevices (eg iPhone), I switched from my self-hosted exchange solution to iCloud for all my email. I now have all my email addresses forwarded to iCloud.

Problems: 

  • E-mail is all stored (forever?) on Apple’s servers.
  • The Spam filtering sucks.
  • ‘Private’ e-mails are coming over iCloud and being archived with all my other mail (I archive my general mail).

Solution:

  • Host e-mail on self-hosted (mac mini) Apple OSX Server. (All current e-mail will be forwarded).
  • PGP on all iDevices and laptops/computers.
  • S/MIME on all iDevices and laptops/computers.
  • (todo) Spam Filtering (potentially with DSPAM).
  • (todo) Setup a small encrypted mail server (Dovecot + postfix + DSPAM

Sync and Backup

Between photos, music, desktop backgrounds, application preferences, etc there is lots of stuff that needs to be sync’d these days. In the past I used a combination of many things including iCloud, DropBox, and bittorrentsync.

Problems:

  • DropBox has size limitations (with free version…).
  • DropBox and iCloud are centralized.
  • Important files need to be backed up with some sort of versioning incase something is accidentally deleted or corrupted.
  • Sensitive files need to be encrypted and backed up.

Solution:

  • iCloud sync for all non-sensitive application data (for any apps that support it).
  • BTSync for everything else.
    • Important and Sensitive documents will also be backed up to Synology NAS unit that does versioning incase of accidents. This also provides a fast mirror of all content.
    • Large aperture library will also be backed up to the NAS using BTSync.
    • Sensitive data encrypted with EncFS then Sync’d and backed up using BTSync.
    • Desktop backgrounds sync with BTSync.
  • Music and TV is stored on the Synology NAS and streamed via Subsonic (music), Plex (TV/Music), and Synology’s Audio/Video stations.
  • KyPass Companion (stored in iCloud) for syncing KeePass password database. (This also integrates with google chrome, I use it instead of google chrome’s password manager).

 

Best Practices:

  • Use a password manager, separate passwords for everything.
  • Use strong passwords (since you’re using a password manager, this shouldn’t make any difference when logging in since you’re not typing passwords anyways).
  • Downloads, Files in work, etc all go into sync’d directories now. Nothing should only be stored locally.
  • Media (Music/TV) should all be streamed, no more storing content locally.
  • Use PGP or SMIME as often as possible. Be careful with private keys (I store them in a TrueCrypt volume to make it easy to share between machines).
  • Do a clean install of OS X every now and again. Do it even more frequently if you’re downloading random stuff.

Finally discontinuing use of dropbox.

So after a few years of using DropBox to sync stuff between my computers I’ve finally fully replaced it with BitorrentSync. Over the past few months I’ve been slowly moving everything from cloud based services to self-hosted solutions for privacy reasons. BTSync works just as good as DropBox does (even better in some capacities), doesn’t have any size restrictions, and of course isn’t centralized.

One thing that should be noted is that TrueCrypt encrypted partitions don’t work as well on BTSync (though did they ever work that well on DropBox either?) so I suggest going with EncFS (or if you want an easier to setup solution, check out BoxCryptor).

I’ve also started more heavily relying upon iCloud Sync for anything that’s not important.

Decommissioning CrashPlan backup

Tried using CrashPlan for a while to keep things backed up. In the end I’ve decided to go with a different approach – storing all my important stuff fully encrypted in a Dropbox container. That way it syncs to drop box and between my computers in the background (dropbox does a great job of background syncing, and since i’m using encfs, which is file based encryption, only the changed files are resync’d each sync.

CrashPlan is great in theory, however there are a few issues:

  1. The software (GUI) itself is slow on all platforms I’ve tested it on. The free version also offers no control over compression or encryption (though backups are encrypted and compressed according to documentation – even in the free version).
  2. The daemon seems to take up more resources than I want it to. Maybe its just me, I don’t like java.
  3. I prefer to control the encryption myself.

Simple mysqldump script to be ran prior to tarsnap

Now that I’m using tarsnap (http://www.tarsnap.com/) of all my important files, I need something to backup my important databases. To do this I’m going to use mysqldump to dump any important databases to a file.

#!/bin/bash
# sonia 16-nov-05
# backup each mysql db into a different file, rather than one big file
# as with --all-databases - will make restores easier

USER="backup"
PASSWORD="secret"
OUTPUTDIR="/usr/home/somewhere"
MYSQLDUMP="/usr/local/bin/mysqldump"
MYSQL="/usr/local/bin/mysql"

# clean up any old backups - save space
rm "$OUTPUTDIR/*bak" > /dev/null 2>&1

# get a list of databases
databases=`$MYSQL --user=$USER --password=$PASSWORD \
 -e "SHOW DATABASES;" | tr -d "| " | grep -v Database`

# dump each database in turn
for db in $databases; do
    echo $db
    $MYSQLDUMP --force --opt --user=$USER --password=$PASSWORD \
    --databases $db > "$OUTPUTDIR/$db.bak"
done

Note that I won’t be compressing the output of mysqldump, this is so that tarsnap will only transfer the actual differential each day, if I were to gzip the output of mysqldump, tarsnap would retransfer the entire compressed file each backup.

This script was taken from http://www.snowfrog.net/2005/11/16/backup-multiple-databases-into-separate-files/ and works wonderfully!

Tarsnap

For some backup of already encrypted files I’m going to be giving Tarsnap a try. I’m just trying it with $5 to keep a copy of a couple GB of web files and sql dumps. So far the install was seemless on FreeBSD (its in ports and compiled quickly/easily). Running the software itself was also easy enough with one single, simple command. The pricing seems fair enough for smaller backups, and they use Amazon’s S2 storage cloud to store the data, so its at least somewhat reliable.

Tarsnap works with incremental, compressed, encrypted backups. I’m using it in combination with the mysqldump utility in order to create a dump of important mysql databases prior to the backup, and to be included in the backup.

http://www.tarsnap.com (The software itself is free as well).

<Update> After a couple hours of usage, I’ve noticed that even though I’ve tried it from multiple servers on 100mbit or gigE, I never see more than 20-30mbit of throughput. This isn’t necessarily a problem as its a backup utility, but I’d like to know what the bottlekneck is.

<Update 5.3.12>  I’ve used tarsnap a couple times now and it seems to be working well, costing a couple dollars for the initial backup, and a few cents a day in storage fees. I’ve decided to stick with it for a while until I have larger backups, at which time i’ll figure out how to get something that can backup to amazon s3 storage working (as of yet i’m having issues getting duplicity to work, I keep getting an error).