Even seasoned system administrators can overlook Linux workstation backups or do them in a haphazard, unsafe manner. At a minimum, you should ￼￼set up encrypted workstation backups to external storage. But it’s also nice to use zero-knowledge backup tools for off-site/cloud backups for more peace of mind.
Let’s explore each of these methods in more depth. You can also download the entire set of recommendations as a handy guide and checklist.
Full encrypted backups to external storage
It is handy to have an external hard drive where you can dump full backups without having to worry about such things like bandwidth and upstream speeds (in this day and age, most providers still offer dramatically asymmetric upload/download speeds). Needless to say, this hard drive needs to be in itself encrypted (again, via LUKS), or you should use a backup tool that creates encrypted backups, such as duplicity or its GUI companion, deja-dup. I recommend using the latter with a good randomly generated passphrase, stored in a safe offline place. If you travel with your laptop, leave this drive at home to have something to come back to in case your laptop is lost or stolen.
In addition to your home directory, you should also back up /etc and /var/log for various forensic purposes. Above all, avoid copying your home directory onto any unencrypted storage, even as a quick way to move your files around between systems, as you will most certainly forget to erase it once you’re done, exposing potentially private or otherwise security sensitive data to snooping hands — especially if you keep that storage media in the same bag with your laptop or in your office desk drawer.
Selective zero-knowledge backups off-site
Off-site backups are also extremely important and can be done either to your employer, if they offer space for it, or to a cloud provider. You can set up a separate duplicity/deja-dup profile to only include most important files in order to avoid transferring huge amounts of data that you don’t really care to back up off-site (internet cache, music, downloads, etc.).
Alternatively, you can use a zero-knowledge backup tool, such as SpiderOak, which offers an excellent Linux GUI tool and has additional useful features such as synchronizing content between multiple systems and platforms.
The first part of this series walked through distro installation and some pre- and post-installation security guidelines. In the next article, we’ll dive into some more general best practices around web browser security, SSH and private keys, and more.