s83/privacy-guides
1
0
Fork 0
mirror of https://github.com/sunknudsen/privacy-guides.git synced 2025-02-23 17:43:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
privacy-guides/how-to-backup-and-encrypt-data-privately-and-securely-using-rsync-and-veracrypt-on-macos
History

README.md

How to backup and encrypt data privately and securely using rsync and VeraCrypt on macOS

How to backup and encrypt data privately and securely using rsync and VeraCrypt on macOS - YouTube

Requirements

  • Computer running macOS Mojave or Catalina

Caveats

  • When copy/pasting commands that start with $, strip out $ as this character is not part of the command
  • When copy/pasting commands that start with cat << "EOF", select all lines at once (from cat << "EOF" to EOF inclusively) as they are part of the same (single) command

Setup guide

Step 1: download and install FUSE

Go to https://osxfuse.github.io/, download and install latest release.

Step 2: install GnuPG

Follow steps from How to encrypt, sign and decrypt messages using PGP on macOS (adding privacy to email) guide.

Step 3: import VeraCrypts public key

$ gpg --keyserver hkps://keys.openpgp.org --recv-keys 0x821ACD02680D16DE
gpg: key 0x821ACD02680D16DE: public key "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Step 4: download VeraCrypt

Go to https://www.veracrypt.fr/en/Downloads.html and download latest release and its associated PGP signature to ~/Downloads folder.

Step 5: verify VeraCrypt release signature using GnuPG

Replace VeraCrypt_1.24-Update7 with current release.

$ gpg --verify ~/Downloads/VeraCrypt_1.24-Update7.dmg.sig
gpg: assuming signed data in '/Users/sunknudsen/Downloads/VeraCrypt_1.24-Update7.dmg'
gpg: Signature made Sat  8 Aug 14:20:27 2020 EDT
gpg:                using RSA key 5069A233D55A0EEB174A5FC3821ACD02680D16DE
gpg: Good signature from "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5069 A233 D55A 0EEB 174A  5FC3 821A CD02 680D 16DE

Good signature

👍

Step 6: install VeraCrypt

Step 7: create and test VeraCrypt symlink

$ ln -s /Applications/VeraCrypt.app/Contents/MacOS/VeraCrypt /usr/local/bin/veracrypt

$ veracrypt --text --version
VeraCrypt 1.24-Update7

VeraCrypt 1.24-Update7

👍

Step 8: set temporary environment variable

Heads up: using .b as encrypted volume path to make things inconspicuous (files that start with . are hidden on macOS, use cmd+shift+. to display them).

BACKUP_VOLUME_PATH path to VeraCrypt volume

BACKUP_VOLUME_PATH="/Volumes/Samsung BAR/.b"

Step 9: create encrypted volume

Heads up: volume size cannot be increased later.

Heads up: Mac OS Extended filesystem required on macOS.

$ veracrypt --text --create "$BACKUP_VOLUME_PATH"
Volume type:
 1) Normal
 2) Hidden
Select [1]:

Enter volume size (sizeK/size[M]/sizeG): 1G

Encryption Algorithm:
 1) AES
 2) Serpent
 3) Twofish
 4) Camellia
 5) Kuznyechik
 6) AES(Twofish)
 7) AES(Twofish(Serpent))
 8) Camellia(Kuznyechik)
 9) Camellia(Serpent)
 10) Kuznyechik(AES)
 11) Kuznyechik(Serpent(Camellia))
 12) Kuznyechik(Twofish)
 13) Serpent(AES)
 14) Serpent(Twofish(AES))
 15) Twofish(Serpent)
Select [1]:

Hash algorithm:
 1) SHA-512
 2) Whirlpool
 3) SHA-256
 4) Streebog
Select [1]:

Filesystem:
 1) None
 2) FAT
 3) Mac OS Extended
 4) exFAT
 5) APFS
Select [3]:

Enter password:
Re-enter password:

Enter PIM:

Enter keyfile path [none]:

Please type at least 320 randomly chosen characters and then press Enter:


Done: 100.000%  Speed: 245 MiB/s  Left: 0 s

The VeraCrypt volume has been successfully created.

Step 10 (optional): mount, rename and dismount encrypted volume

By default, VeraCrypt encrypted volumes are named "untitled".

Mount encrypted volume

$ veracrypt --text --mount --pim 0 --keyfiles "" --protect-hidden no "$BACKUP_VOLUME_PATH" /Volumes/Backup
Enter password for /Volumes/SAMSUNG BAR/.b:

Rename encrypted volume

$ diskutil rename "untitled" "Backup"
Volume on disk3 renamed to Backup

Dismount encrypted volume

veracrypt --text --dismount "$BACKUP_VOLUME_PATH"

Step 11: create backup script

cat << EOF > /usr/local/sbin/backup.sh
#! /bin/sh

set -e

if [ "\$(id -u)" != "0" ]; then
  echo "This script must run as root"
  exit 1
fi

red=$'\e[1;31m'
end=$'\e[0m'

veracrypt --text --mount --pim 0 --keyfiles "" --protect-hidden no "$BACKUP_VOLUME_PATH" /Volumes/Backup

declare -a files=(
  "/Users/$(whoami)/.gnupg"
  "/Users/$(whoami)/.ssh"
  "/Users/$(whoami)/Library/Keychains"
)

for file in "\${files[@]}"; do
  rsync -axRS --delete "\$file" /Volumes/Backup
done

printf "\${red}Inspect backup and press enter\${end}"

read -r answer

veracrypt --text --dismount "$BACKUP_VOLUME_PATH"

echo "Done"
EOF
chmod +x /usr/local/sbin/backup.sh

Step 12: edit backup script

vi /usr/local/sbin/backup.sh

Press i to enter insert mode, edit backup script, press esc to exit insert mode and press shift+z+z to save and exit.

Usage guide

$ sudo backup.sh
Password:
Enter password for /Volumes/Samsung BAR/.b:
Inspect backup and press enter
Done

Done

👍