Using Veracrypt and Rsync for Backup Between Multiple Computers [2021-08-11]

Motivation

I thank Sun Knudsen's privacy guides for this post. This method of backup is not convenient, rather it offers a secure and privacy-friendly alternative to the usual means of file synchronization. There are three notable levels of precaution. First, we prefer physical external drives as a way to prevent unwanted access and tampering from third parties. Second, we will store files in an encrypted volume by way of Veracrypt. Third, we will hash the volume using the SHA-512 algorithm as a final measure against tampering.

For my use case, Rsync was the most appropriate tool that I found. I highly recommend checking out the algorithm below.

Rsync Algorithm

Required Tools

Create a Veracrypt Volume

  1. Format your usb drive in the appropriate file system. Since I will be going back and forth between Windows, MacOS, and Linux machines, I chose exFAT. Mount the drive to your computer. A tip if you are on MacOS, the easiest method would be to pass diskutil eraseDisk name-of-disk /dev/diskn in terminal where n is the number of your drive in diskutil list.
  2. In your terminal, launch veracrypt and pass in -t -c (-t for --text, -c for --create) to create a volume in the command line and the path to your drive. For example on Arch Linux, this is usually /run/media/$USER/name-of-drive. On MacOS, it is /Volumes/name-of-drive.
  3. If you are unsure on what to select, use my recommendation:
    1. veracrypt -t -c --volume-type=normal /path_to_drive --encryption=aes-twofish-serpent --hash=sha-512 --filesystem=FAT -p 1nseRt-str0nG-p7sswoRd --pim=0 -k "" --random-source=/dev/urandom

Backup Desired Files

The general process to backup files to the veracrypt volume using rsync is as follows.

  1. Before using rsync, it may be helpful to read the documentation as improper uses may result in deleting important files. Typically, as long as you are wary of using the --delete flag, you should be fine.
  2. Mount your veracrypt volume in terminal. veracrypt -t -m --pim=0 -k "" --protect-hidden=no /path_to_volume /path_to_mount. For Linux, it is okay to use the /mnt directory if this is the only device you need to mount during sync. For MacOS, it will typically be /Volumes/NO\ NAME unless you wish to rename it.
  3. Sync your desired data and repeat for unrelated folders/files as the archive option -a will sync recursively. rsync -axS /path_of_source /path_of_mount
    1. If you wish to exclude certain files or file types, insert the --exclude flag and pass in your param.
    2. If you wish to see progress, use -axSP.
    3. If you wish to see a verbose summary, use -axvS.
  4. When finished, dismount your veracrypt volume using veracrypt -d /path_to_mount or veracrypt -d for all volumes.
  5. You can generate a hash of the volume using openssl dgst -sha512 /path_to_volume

However, I have also written a Linux bash shell script to do this for me. Remember to enable this scripts execution permission using chmod +x /path_to_script

#! /bin/sh

set -e
set -o pipefail

veracrypt -t -m --pim=0 -k "" --protect-hidden=no /path_to_volume /path_to_mount

rsync -axSP --exclude="file_type_to_exclude" --exclude=/path_to_file /path_of_source1 /path_to_mount

rsync -axSP --exclude="file_type_to_exclude" --exclude=/path_to_file /path_of_source2 /path_to_mount

veracrypt -t -d /path_to_mount

openssl dgst -sha512 /path_to_volume

Check for tampering

Below is a script for checking the hash of your backup. 

#! /bin/sh

set -e
set -o pipefail

printf "Backup hash: "

read -r previous

current=$(openssl dgst -sha512 /path_to_volume)

current=${current:39}

printf "Current hash: %s\n" $current

if [ "$current" != "$previous" ]; then
  printf "%s\n" "Integrity check failed"
  exit 1
fi

if [ "$current" == "$previous" ]; then
  printf "%s\n" "Integrity check passed"
  exit 1
fi

Load from Backup

Note, we use the --delete option in the below rsync commands. Use precaution as this will delete files so your local machine will sync with your backup on your usb flash drive. When you are syncing folders, follow the syntax I have given below.

#! /bin/sh

set -e
set -o pipefail

veracrypt -t -m --pim=0 -k "" --protect-hidden=no /path_to_volume /path_to_mount

rsync -axSP --delete /path_to_mount/path_of_folder/ /path_of_folder

rsync -axSP --delete /path_to_mount/path_of_file /path_of_file

veracrypt -t -d /path_to_mount

printf "%s\n" "Done"

Ideas for proper synchronization

If you are familiar with collaborating through git, I would treat your usb flash drive as a remote repository and your backup as the master branch. However, with my current script, you MUST load from back up before you make any changes on your local machine as they will be deleted in order to match the backup. To change this, simply omit --delete from the load script.

If you have any suggestions, please email me.