Encrypted backups using 'attic' (formerly borg)

I’m re-visiting the concept of having encrypted off-site backups. The first reaction is, everything should be encrypted because some hacker (or their staff) could get into the offsite backup service and gain access to all your files. But if they are stored as encrypted, this makes is practically impossible.

As I am re-visiting the idea of now simply using rsync to do a backup to a place like rsync.net, I wonder how important it is to actually encrypt everything since there is always a risk of losing the password and/or key to the encrypted backup and there is no recovery or back door to this.

So this has caused a discuss of what exactly needs to be protected that it should be encrypted when stored offsite. The only things that come to mind are things which are financial related where someone could use them for fraud. Beyond that, the other things are a low-risk if they were hacked such as client proposals, media for clients, etc. Yeah, those things you don’t want to be made public, but is it worth the additional overhead and risk by storing them as encrypted is the question.

This isn’t the only backup we do, which is the offsite one. We also swap out an external hard drive that is kept offsite in a vault. Nothing is encrypted on the hard drive kept in the vault, because we don’t have anything to hide from something as serious as a court order. I never heard of anyone breaking into a vault and stealing a hard drive.

Anyone using ‘attic’ and other software to encrypt offsite data? Again, this is offsite storage I’m referring to, the transmission of the data is encrypted.

We do not keep client medical records or anything HIPPA related. We aren’t in any sort of legal business where we have confidential things like that. It is mainly a concern for someone using the data for fraud. Or am I overlooking something else which needs to be kept encrypted in offsite storage?

I don’t have specific program recommendations, but in your case, if key storage is a problem, you could use a good passphrase that you only share with trusted others (SO? kids? close family/friends? lawyer?). First practice encrypting and recovering some unimportant thing for a few weeks or months until you have the passphrase (or algorithm) down, then just keep asking the trusted others to rehearse it with you once a week or once a month or whatever. It’ll be your shared secret and unlikely that everyone will forget it all at the same time.

The passphrase could be something long but memorable, like “First dog rex second child sam third date paris”. Impossible to brute force, not much room for grammatic ambiguity, should be memorable for anybody you’d trust. Or a favorite quote plus your birthday at the end. Etc.

Alternately, if your primary concern is identity theft, I propose that you forget about all this and sign up for identity theft monitoring + insurance instead. Most identity theft happens when a business leaks their customers’ info because of their own shitty security, not because somebody’s breaking into a bank vault. There’s not much you can do about that besides using only cash. If it’s going to happen, it’s most likely going to happen from some channel of attack outside your control, and the only thing you can reliably do about it is have a service that catches it right away, insures you against damages, and helps you recover your identity/credit from the bureaus.

incorrect with regard to “cannot gain access to files” … files can be accessed/copied but, purportedly, cannot be decrypted without the necessary algorithm “key” as how the previous poster relayed.

however … let’s say you have irrefutable evidence john f. kennedy was assassinated (at his brother’s command) … and you wish to encrypt the data so nobody (except you/your ‘key’) can reveal that evidence. if that data has not been corrupted by the time quantum computers come of age … they may be able to break the encryption code and siphon the data within hours … rather than a million years of the current modal.

again, for all practical purposes … the above paragraph can be considered purely conjecture.

guess my point is this … careful of what you choose to encrypt.