this post was submitted on 13 Feb 2026
47 points (100.0% liked)

Selfhosted

56402 readers
913 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
47
Storing encryption keys for backup drives (lemmy.world)
submitted 2 days ago* (last edited 2 days ago) by janne_fran_innsbruck@lemmy.world to c/selfhosted@lemmy.world
16 comments fedilink hide all child comments
 

I'm planning to setup backup on my nas with the 3-2-1 backup rule.

For the backup disks I want full disk encryption, but I also want to be really sure that I don't lose the encryption keys if I lose my phone and computer where I have my password manager.

What is a good practice to store the encryption key(s)?

One thought I had was to have an unencrypted partition on the backup disks that stores an encrypted keepass database with the key.

Any tips or experiences are welcome.

PS. I want to avoid cloud-based options.

you are viewing a single comment's thread
view the rest of the comments
[–] lorentz@feddit.it 15 points 2 days ago (1 children)

A chain is as strong as its weakest link. If you store your encryption keys in plain text in an unencrypted partition you are not very resilient against an attack.

There is no general advise for security, you always have to frame it in a treat model. What do you use encryption to protect for?

If you want to be able to safely dispose the drives without having to wipe them, storing the keys in a different drive (not partition) could be good. If you want to protect your data against physical thief, storing the decryption keys in plain text in the same server doesn't make sense.

If you want to protect by a state sponsored actor, keep in mind https://xkcd.com/538/

Something you have to consider is how likely your drives and your encryption keys can be stolen together. How quickly you can realize that only one of them got stolen, and how quickly you can protect the other one to keep you data safe.

A simple approach could be: print them down and put them in a safe box, maybe at a trusted relative or friend's home. But again, it boils down to what do you want to protect most, because there is no definitive answer to your question

[–] lorentz@feddit.it 5 points 2 days ago

Also, keep in mind that really good passwords can be easy to remember or recover. Pick your favourite book at home, get the last word of the first 10 chapters and put all of them together. You get a password that is impossible to bruteforce, literally written in your home but impossible to guess for anyone else but you. Of course it won't be easy to type. But is still a good main password for a password manager which stores all the others.