Encrypted backups using tar and age
I've been looking for a portable and user friendly program to encrypt my backups for a while and I've finally found it. What I want is to have it on my external storage alongside my backups so that I can recover only with said storage, a live USB and a passphrase.
age has very few dependencies and they are installed by default on
most GNU/Linux distributions. Nevertheless, I've had linking errors from
using the Arch binary on Debian so it's better to keep a static build
of the program.
# age as it comes out of the box $ ldd /usr/bin/age linux-vdso.so.1 (0x0000622682f3c000) libpthread.so.0 => /usr/lib/libpthread.so.0 (0x0000622682b6d000) libc.so.6 => /usr/lib/libc.so.6 (0x00006226829a1000) /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x0000622682f3e000)
Now to build it statically:
git clone https://github.com/FiloSottile/age cd age go build -tags osusergo,netgo -o . ./cmd/...
And the result:
$ ldd ./age not a dynamic executable
Create a secure passphrase with the diceware method or something with
similar complexity. Alternatively, you can make
age create the
passphrase by leaving it empty when prompted.
tar cvz ./data.d | age -p > backup.tar.gz.age
I usually boot my laptop from a live USB and run the following commands to backup my whole system overnight:
sudo su cd /mnt mkdir ssd mkdir hdd mount /dev/sda1 /mnt/ssd mount /dev/sdb1 /mnt/hdd tar cvz ./ssd | /mnt/hdd/age -p > \ /mnt/hdd/backup.tar.gz.age && sync && poweroff
Decryption is, likewise, easy.
age -d backup.tar.gz.age > backup.tar.gz # or to extract the archive directly age -d backup.tar.gz.age | tar xvz
age will prompt you for the passphrase before decryption.