How to back up and encrypt data using rsync and VeraCrypt on macOS (see change log)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys i'm sun i'm a privacy and a security researcher and you're watching the privacy guides today's episode is about backups now throughout this series i've talked about how to set up pgp i've talked about using ssh to connect to servers i talked about being sovereign and using password managers that only sync locally well all those things are really good for privacy but i mean no one's holding our hands if we lose our data we're essentially so backups are really critical now i want to talk about what good backups are if the information is on your computer and on an external hard drive at home and you're sipping a pina colada at the country house and your house catches fire well that's not actually a good backup a good backup is when the information is not vulnerable to a whole bunch of of situations such as the house catches fire your house gets robbed you're traveling with both your computer and your external hard drive and then both of those devices get lost well a good backup is when the information is pretty much bulletproof and one of the best ways of doing that in my opinion besides the cloud more on good ways of doing cloud backups in the future but for today the way i really really prefer things is by backing up the most important files we have on a little usb thumb drive or on a little memory card now doing that is amazing because this can be popped on our keychain and usually we have our keys wherever we are so if at home we have an external hard drive that's configured using time machine and we have our computer and our keys and we're outside of the house well that's cool because if both our keys and the computer get stolen we have that external hard drive with time machine at home now if we're out having drinks and our house catches fire and we lose both the external hard drive and the mac well we still have our keys and by keys i'm talking about the actual keys to unlock our homes but also our pgp private keys our ssh private keys our passwords our 2f8 tokens all of this stuff that is so very critical now the problem with having this stuff on a little device that we have with us at all times is if we lose that device we don't want to lose our mental health worrying about who's going to have access to all our stuff so it's not about putting things on the usb key it's about putting them in a way where we're using military standard encryption to make sure that if we lose the key well we don't really give a because all of this stuff is encrypted uh very very well now the other question is how can we make sure that the stuff we have on the computer is actually on this how can we make sure that changes that happen on the computer are synchronized on this i know people who do backups by manually moving files over from one place to another that is prone to human error and i really don't like that it kind of freaks me out i'm always worried about like oh did i move that file so in today's episode we're going to be setting up a little backup strategy for those very sensitive files using two pieces of open source software one is veracrypt veracrypt will allow us to create encrypted volumes which will look like a usb thumb drive but the data on them will actually be encrypted veracrypt also has features such as hidden volumes to add plausible reliability that will be the subject of a future episode the other piece of open source software we're going to use today is called rsync rsync is a command line utility that synchronizes a source and a destination to make them identical so if a file is deleted on the computer it will also be deleted on the backup so that is a really good way of creating backups that are identical but it's not really good if a file is deleted from the computer by error that will be the subject of a future episode when we're going to be implementing backups with versioning so today today's episode is for files that you're never going to delete such as again your pgp keys and your password managers backups and stuff like this so without further ado let's let's jump in um first things first we want to make sure that we go about installing fuse so if we go in uh if we go on the fuse's website and we click on fuse for mac we want to start by downloading that file and then opening up the dmg archive all right and then we just want to double click on fuse sorry about that allergy season um okay so we can go about uh you know going through the wizard um we don't need to enable fuse for mac os preference pane uh we just want that core components thing so we can go about and do this as you guys know by now my password on this demo computer is super shitty yours should be more elaborate boom so that's done now the next thing we want to do is we want to make sure that we have uh pgp installed so if i go here and i tap type pgp help uh we'll see sorry about that gpg help we'll see that it is installed but if it isn't installed on your computer uh you can follow steps one two three from the episode on how to encrypt sign and decrypt messages using pgp uh so i'll suppose that you guys have done that in the past the next thing we want to do is import uh veracrypt's public key so that's been done and now we want to go about downloading veracrypt so if we go on their website here we want to download the dmg and the pgp signature more on this in a second so we download this and then we download the pgp signature so i'll be creating the episode in the future about pgp signatures but essentially that allows a developer that you know develops an app that is sensitive such as veracrypt to sign releases and to have us confirm that the actual author uh released that dmg that means if someone wants to attempt a man in the middle attack and has access to their server and puts their like a file like you know exactly identical well they won't be able to sign it so they won't be able to push a file that has been compromised to us so once this has been done the next step is we want to confirm if the signature is good and as we can see here it is good it's a good signature now the other thing that you guys need to keep in mind is which key was used but as we did here we imported the key and it's that key that was used to confirm the signature so we're good the next step is we want to install veracrypt so we just want to go here and open the veracrypt dmg once this is done we'll go through the steps it's very similar to few so we want to double click on the installer and then we go through the wizard now again sorry for the shitty password demo computer okay good so that's done as well the next thing is we want to create a sim link to be able to access veracrypt using command line and double check that that is actually working so this is good uh now veracrypt is accessible via command line next step is uh we're going to be uh creating a temporary environment variable so um i scripted things a bit to make your life easier so the first thing we want to do is pop in a usb stick into the computer oh i'm missing usb ports here okay let me see i'll pop it in here hopefully that will work i hadn't planned for this um so once this is done um if we pop open the finder i can see that i have a samsung bar uh you know volume here so that's what i'm going to be using now i am going to be creating the veracrypt encrypted volume in a way that is a little more stealth it's going to be called dot b so i'm doing this because i want to have a very inconspicuous file on the usb thumb drive if someone finds it i don't want it to be called backup or like very important files i want it to kind of look like nothing important is on it so they just trash it okay so let's clear this here and i'm going to set backup volume path to the samsung bar and a file called dot b uh now it's time to create the encrypted veracrypt volume so by running this here it's going to ask us about the volume type i mentioned before there's a way of creating volumes that have plausible deniability that's going to be in a future episode but that would be the hidden option here so we'll go for one now volume size is important the way veracrypt works it creates an encrypted volume of a fixed size there is no way to mine knowing anyways to increase that size in the future so you want to make sure that you leave yourself enough room but you don't want to make it overly big because the bigger it is the more space it takes on the usb 10 drive and it can potentially slow things down when you're mounting and dismounting it as well so for the purpose of today's episode i'm going to set it to one gigabyte now there's a whole bunch of encryption algorithms aes which is the default is actually what the us government uses but it's also possible to use a whole bunch of different ciphers and also combine them but i did a little bit of research and i don't think there's huge gains by using multiple but if you're really really uh worried about things option seven might be good but for today's episode i'll just set it up with one and i'll use uh sha 512 hash algorithm now for the file system that is actually an important decision here if you guys use fat that backup will actually be cross-platform so you could access it on a computer that's running windows or linux as fat is very generic and supported by most operating systems that being said fat has a limit to the styles to the size of files i think it's four gigabytes and it also has a whole bunch of issues uh in the context of mac os so if you want to backup files with specific privileges things kind of get quirky so for the purpose of today's episode i'm just going to set it up using mac os extended and now it's time to create a password uh as always i recommend a passphrase of about six words some of which do not exist in the dictionary that will create enough entropy to make that very random and it won't be vulnerable to brute force attacks dictionary attacks and stuff like this but for the purpose of today's episode as i need to type this twice very fast i'll just put a really really shitty password and as you can see here it actually won't encourage that so it's going to tell me it's shitty but okay i'm yeah i'm aware shitty password sorry about that there are more advanced ways of securing those uh volumes even more uh but for today's episode we're just gonna skip this and now it's time to type a whole bunch of gibberish on the keyboard so what we're doing here is we're generating some randomness that is going to be used by the encryption algorithm to make sure that it's unique that it's has enough entropy to make it safe so uh not sure if i oh yeah good perfect uh so what's happening now is it's actually creating the volume since it's creating it on my usb tem drive and that thumb drive is not incredibly fast it will take a little bit of time so that's also one of the reasons why i didn't want to do this you know for like a 4 or 16 gigs volume that would have taken even more time so right now it's writing it by the way since my computer is out of ports this is plugged into a hub on my monitor so this will be a little slow sorry about that maybe i'll fast forward this in post-production all right so the volume has been successfully created now by default the way volumes are created uh on veracrypt well volumes that use mac os extended is that what it was called geez yeah mac os extended they're always named uh untitled so that makes things a little strange if it was fat it would be called no name if my memory is good so this here is an option optional step to just rename it to backup uh now we want to start by running this typing in our password yours should be much more secure than mine and this little step here uh we'll go about renaming it uh renaming it and then we're gonna dismount the volume good okay now it's time to create the backup script now some of you will probably uh say son this is super complicated i want to use a fat client or essentially an app to select what i want to backup and things like this true but um command line is super powerful and once this is configured you just have to pop open a terminal and run one command so bear with me also the whole point of the privacy guides is to encourage people to really develop their technology literacy and stuff like this so yeah and also i don't know if you guys watch mr robot but doing stuff in the command line is like way more badass so anyways um okay so this little command here is used to create that backup script whoops let's grow this again okay now that this has been done we need to edit it and that's where things get really really nerdy here so we're using vim vim is a text editor to edit that file using command line so the first thing here we want to do is use our cursor to go to a specific location and then we want to press i on the keyboard to switch to insert mode and then we'll press enter space space and then we're going to create a little placeholder here for a file now if we pop open finder and we go into documents i have an important folder that i want to add now you guys by the way might not have g and upg or ssh configured on your computer so you can also remove those i'll show you guys how to do that in a second but for this once the cursor is between those two little quotes we can just drag it here drop it and then it's gonna automatically put the full path and we want to remove those single quotes i'm not sure why they're there and once this is done we could repeat this for as many folders as you guys need or files by the way and and then we want to press escape to exit insert mode and say you guys don't have uh ssh set up on your computer okay well you would type on like right now we're not in insert mode i is insert mode escape gets out of insert mode and then when you're on a specific line if you press on the keyboard dd it's going to delete that line so we just remove that path from our backups and then i'll press escape and then well actually i need to press escape and then i'll press shift on the keyboard and then zzz to save and exit by the way quick little anecdote when i started doing computer stuff i needed to send emails for a client and it took me 36 hours to figure out how to use vi to change port 25 to 25 25 on a virtual dedicated server who actually it might have been even a dedicated server back then but yeah so this stuff is a little uncomfortable at first but it's super powerful once we start you know being more agile uh last but not least is how we run those backups so we pop in the usb stick or the sd card once this stuff is configured and we and then we just want to run sudo backup dot that will ask us for the computer password and then for our encrypted volume password and then the magic happens that's where our sync kicks in and it will synchronize synchronize files so i coded this little script in a way where it asks us to inspect the backup and that's super important because sometimes when you have encryption stuff it can fail silently and then you know you can lose access to the backup so if i pop open the finder you see as i mentioned earlier the encrypted volume will look essentially the same as a usb stick it's called backup now i can go in here and use on the keyboard the keys command shift dot to show uh you know hidden files and then if i go here we can see that the gnu pg you know file or folder i should have said is there we also have this very important folder and in library we have all of the keychain data keychain is the password manager that ships with mac os um yeah so if we go back to our terminal here and press enter it will eject or dismount the encrypted volume and we're done so now we can go about ejecting our usb stick the way we would always do it and voila we now have on this little usb stick a military grade encrypted uh volume or backup of those very sensitive files and this is waterproof it fits on a keychain uh yeah and that's pretty badass uh so okay quick little note here i'm bouncing ideas with myself on how i could monetize the privacy guides i'm not trying to make money uh in a nasty way i'm just trying to find a way of being being able to like sustain myself to be able to spend more time doing this research so i'm playing around with amazon affiliate links so i'll link to this uh and the little sandisk card in the description those are going to be affiliate links when you click on them it can potentially give me a commission uh if you're uncomfortable with this let me know in the comments i don't think this actually invades your privacy as you guys are probably already using amazon if you're going to be clicking on those links so let me know and by the way i will never ever ever ever recommend products that i don't use myself that i don't really value so this is not becoming a commercial enterprise i am not going to start doing nord vpn promotion on my channel i'm not gonna recommend products actually you know what if you know how to buy this at a local store well amazon and buy it locally because that's way better for the planet so anyways that's all i have for you today thanks for watching thanks for caring about privacy and i'll see you soon bye

Info

Channel: Sun Knudsen

Views: 10,917

Rating: undefined out of 5

Keywords: Privacy, Security, Backups, VeraCrypt, rsync, macOS

Id: 1cz_ViFB6eE

Channel Id: undefined

Length: 20min 39sec (1239 seconds)

Published: Fri Aug 28 2020