Backup on encrypted HDD

Hello,

For several years now i try to fix my Backup Situation. It’s really critical, because for quite a while now i do no backups, just to my system drive and i know that’s really stupid.

So what i want is a backup to my external HDD, that i have recently encrypted with Veracrypt. When i try that via timeshift, it tells me that my HDD has no linux partition. When i do lsblk -f i see that there is my drive /dev/sda1/veracrypt1 which is formatted to ext4. When i tried to do the backup, i also decrypted the HDD.

I really hope you can help me since i don’t want to progress without a backup even further. It could give me a lot of trouble in the future.

Btw i have been searching the thread where i can look up how to post a topic with all that is needed.

Thank you in advance!

The steps to backup your data to an encrypted drive is roughly

1. attach the device
2. open the encrypted container
3. mount the container
4. backup using the container mount point as target
5. when done
6. un-mount the device
7. close the container
8. detach the device

Following up on that, timeshift has no way to open the container all by itself. So in other words, you’ll have to do it all manually, or simply not use any encryption on a device used for storing backups.

FWIW, I backup my encrypted partitions to encrypted external drives regularly.

Don’t know what veracrypt is. (Just searched for it. Was not impressed.)

I use standard Linux methods of creating the encrypted external drive (Gparted or KDE Partition Manager) to make a LUKS encrypted volume. (I also use ext4 format.)

When I plug it into the PC later, it asks for the encryption password and mounts the drive, just as it would any other external drive.

I seldom use timeshift for external backups because I’m not interested in external backups of the system. If I bork the system so badly that I can’t fix it myself, (and I have) I’ve found a reinstall is faster and easier.

I simply use rsync (actually grsync) to back up my data. The advantage of that comes in both the simplcity of doing the backup (settings can be saved to a file for repeat) and that any restoration can be done from within the file manager (Dolphin, Files, Thunar, etc.) without using special “backup” software to learn.

A humble reaction…

I learned a while ago on this forum from one of the moderators about using Borg.
For easier management I use Vorta.

For my use case, Vorta feels a bit simpler to work with than grsync, although grsync clearly offers a lot of flexibility.

Please correct me if I’m wrong, but my understanding is that Borg creates versioned snapshots (similar to Timeshift), while rsync typically creates a synchronized copy of the current state unless additional tooling is used.

In the end, it really depends on the user’s goal:
a synchronized backup, or a backup that allows going back in time.

I use timeshift with rsync as the backend, and it creates versioned backups — the version is not a number but a timestamp.

Just another possibility is using restic, which encrypts backups itself. Something like that:

pamac install restic
mount /dev/sdxy /mnt
mkdir /mnt/backup
restic -r /mnt/backup init
restic -r /mnt/backup backup /home

Done.

Of course, also consider implementing a 3-2-1 backup strategy.

It is possible to script the tedious tasks - including the opening of the device.

I was in the same boat as you, I used to use backintime, great backup program but now it does not support local encryption.

My solution, which I will be including in the next ISO of DeLinuxCo is to use Duplicati.

Duplicati will encrypt your backup files into 50 MB chucks, no need to encrypt the HDD/SSD.

I have personally and professionally been using Duplicati for over 6 months and it works very well. It is completely free to use and gives you I believe 200 days of backups, anything longer you have to pay.

The current Linux Version requires you generating a secret key in your home .config directory, the next version, due out in a couple of weeks will use libsecret automatically.

Currently Duplicati is in the AUR and it lacks some desktop integration, and so I have this non-signed package that I compiled if the AUR seems a bit complicated. https://repo.delinuxco.com/testing/x86_64/duplicati-bin-2.2.0.3-1-x86_64.pkg.tar.zst

DO NOT Set this up in production until you have tested everything.

1. Install duplicati-bin 2.2.0.3
2. start duplicati in order to generate the config directory
3. close/quit duplicati from the systray
4. open directory ~/.config/Duplicati
5. create a file ~/.config/Duplicati/preload.json
6. add the this to the file:

{
  "env": {
    "*": { 
      "SETTINGS_ENCRYPTION_KEY": "add your key here"
    }
  }
}

Open your terminal and run this command to generate a key:

openssl rand -base64 14

This will generate a random key, replaced the text in the “add your key here” with the key generated, be sure to keep the quotes, save the file.

Start Duplicati and it should ask you to “Change Passphrase”, do it and you are done.

You can now back up fully encrypted backs to your local drives, network shares or cloud such as S3, Digital Ocean Spaces, SSH, FTP etc.

Selection_1071076×1006 111 KB

image1076×1006 136 KB

@Aragorn Sorry, I was mistaken. It was a moderator from EOS, some time ago, I remember now.

Vorta (Borg) or Timeshift (rsync), both easy to use with kind of the same result… just whatever suits you most…

Mabox_20260211-08-46-061571×1352 202 KB

Though grsync is not Timeshift. With grsync one can make mistakes like toggling preserve owner, preserve permissions, etc. A user needs to know what all the settings do.

Timeshift and Vorta are more intuitive GUIs…

The main thing for this topic is of course: how to best encrypt a disk for creating a backup.