Encrypted backups using tar and age

Dopey from 'Land of the Lost' in a tar pit

Introduction

I've been looking for a portable and user friendly program to encrypt my backups for a while and I've finally found it. What I want is to have it on my external storage alongside my backups so that I can recover only with said storage, a live USB and a passphrase.

Portability

age has very few dependencies and they are installed by default on most GNU/Linux distributions. Nevertheless, I've had linking errors from using the Arch binary on Debian so it's better to keep a static build of the program.

# age as it comes out of the box
$ ldd /usr/bin/age
linux-vdso.so.1 (0x0000622682f3c000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x0000622682b6d000)
libc.so.6 => /usr/lib/libc.so.6 (0x00006226829a1000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x0000622682f3e000)

Now to build it statically:

git clone https://github.com/FiloSottile/age
cd age
go build -tags osusergo,netgo -o . ./cmd/...

And the result:

$ ldd ./age
not a dynamic executable

Encryption

Create a secure passphrase with the diceware method or something with similar complexity. Alternatively, you can make age create the passphrase by leaving it empty when prompted.

tar cvz ./data.d | age -p > backup.tar.gz.age

I usually boot my laptop from a live USB and run the following commands to backup my whole system overnight:

sudo su
cd /mnt
mkdir ssd
mkdir hdd
mount /dev/sda1 /mnt/ssd
mount /dev/sdb1 /mnt/hdd
tar cvz ./ssd | /mnt/hdd/age -p > \
/mnt/hdd/backup.tar.gz.age && sync && poweroff

Decryption

Decryption is, likewise, easy.

age -d backup.tar.gz.age > backup.tar.gz
# or to extract the archive directly
age -d backup.tar.gz.age | tar xvz

age will prompt you for the passphrase before decryption.