this post was submitted on 13 Feb 2026
47 points (100.0% liked)

Selfhosted

56402 readers
903 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
47
Storing encryption keys for backup drives (lemmy.world)
submitted 2 days ago* (last edited 2 days ago) by janne_fran_innsbruck@lemmy.world to c/selfhosted@lemmy.world
16 comments fedilink hide all child comments
 

I'm planning to setup backup on my nas with the 3-2-1 backup rule.

For the backup disks I want full disk encryption, but I also want to be really sure that I don't lose the encryption keys if I lose my phone and computer where I have my password manager.

What is a good practice to store the encryption key(s)?

One thought I had was to have an unencrypted partition on the backup disks that stores an encrypted keepass database with the key.

Any tips or experiences are welcome.

PS. I want to avoid cloud-based options.

you are viewing a single comment's thread
view the rest of the comments
[–] irmadlad@lemmy.world 4 points 2 days ago (1 children)

For the backup disks I want full disk encryption

I encrypt everything.

I have a repository set up with all my keys for all my encrypted drives. The keys get rar'd with a strong, known, 50 character password, and the filenames encrypted so no one can just open the rar file and gaze at the keys.

  • drive_xxxxx1_2_14_26.rar
  • drive_xxxxx2_2_14_26.rar
  • drive_xxxxx3_2_14_26.rar

These get backed up in a 3,2,1 schema, and also to thumb drives stored in secure places. I also rotate the passwords on a regular basis, so the process starts all over again.

  • Check keys: sudo cryptsetup luksDump /dev/sdX
  • Add new key: sudo cryptsetup luksAddKey /dev/sdX
  • Delete old key: sudo cryptsetup luksRemoveKey /dev/sdX
  • Verify keys: sudo cryptsetup luksDump /dev/sdX

The headers are not secret. Anyone with physical, read access to the device can run luksDump. It reveals algorithm, key derivation parameters, number of keys, but not the passphrase or master key.

As far as 'best practice', that will be determined by subsequent replies to your post. LOL That's just how I do it.

[–] ki9@lemmy.gf4.pw 3 points 1 day ago (1 children)

You can dettach your headers with --header.

I've started putting the header and key on my boot partition on a USB key. Without the usb, the hard drives appear to be filled only with random data (plausible deniability). After booting, the USB can be removed to prepare for a panic shutdown.

[–] irmadlad@lemmy.world 1 points 1 day ago

You can dettach your headers with --header.

I did not know this. That would seem, abiding by your system, to be more secure. I will have to investigate.

Thanks for sharing.