Digital Self-Defense

5. Secure Backups and Documents

15 min read

Having more than one copy of important data is an often overlooked personal security measure. Data loss can be extremely time consuming to rectify, and can lead to exposure of sensitive information. We want to assume any important information will eventually be lost and create copies of it to reduce the affect of these events on our lives.

The following terms should be defined.

  • Original data - original paper documents and physical devices (phones and laptops)
  • Backups - scanned copies of paper documents, snapshot backups of devices, copies of critical data stores like passwords.

All technical procedures in this guide are performed on Ubuntu Linux, but they can be performed on any OS with some adjustments.

Threat model

Threats in this section deal with the security of the original data - where sensitive documents are stored, how devices are secured, and how we keep track of them. It also deals with the security of the backups themselves, which are usually on a disk.

Data loss can pose the following problems -

  • If you lose a device, you will need to configure it again manually from it’s factory state. This can be time consuming and you probably won’t get the same configuration from memory.
  • If you lose a device and the hard drive is not encrypted, it can be removed and read, even if protected by pin or biometrics.
  • You will lose any work on that device that was not backed up.
  • Any important documents stored on the device will be lost, need to be replaced, and be available to whoever now has the device. This can result in different flavors of chaos associated with identity theft, replacement of important documents, or recovering from exposed personal information.
  • Sensitive data stored in the cloud is accessible by the cloud service provider, and may be scraped, sold, or fed to AI models. Cyber attacks can compromise the provider’s servers and the connections between you and the provider.
  • Governments are known to purchase data from cloud service providers.
  • Loss of passwords, credentials, or 2FA devices.

Data can be compromised in many different ways -

  • Lost, stolen, or damaged devices / documents.
  • Corrupted or unsaved data.
  • Unlocked or unencrypted devices accessed without your knowledge.
  • Insecure documents accessed and copied without your knowledge.
  • Natural disasters - fire, flood, storm, etc - destruction of physical media stored in one location.
  • Cyber attacks - compromising the backup server or the connection between you and the server. Remotely accessing your device and viewing, copying it’s contents.

Threat response

We will need to identify important data that should be backed up. Then we will create encrypted backups of the data using the 3-2-1 strategy -

  • 3 - Keep 3 copies of any important file: 1 primary and 2 backups.
  • 2 - Keep the files on 2 different media types to protect against different types of hazards.
  • 1 - Store 1 copy offsite (e.g., outside your home or business facility)

We will configure the backups as follows -

  • Primary - the original data
    • Physical devices (phone, laptop). These will be encrypted and configured for physical security. I also prefer to NOT store any identifying or sensitive documents on physical devices since they are portable and are left unattended in places that are not my home.
    • Physical paper documents - these should be stored in a safe.
  • Backup 1 - stored in your home / workplace. This will be an encrypted hard drive stored in a safe. We will refer to this as onsite backup going forward.
    • Device snapshots - these are exact copies of devices that can be restored to a new device without having to manually configure it, download apps, and load the data onto it.
    • Scans of original documents - these will be preformed with open source scanning software in your own home without an internet connection.
    • Copies of critical files and data stores - things like photos, passwords, or email can be backed up and loaded onto this drive.
  • Backup 2 - stored offsite. We will refer to this as offsite backup going forward.
    • Contents should be identical to Backup 1.

We will not use any cloud services, and perform all data transfers by wire, in our own home, without a connection to any network. We will purchase and encrypt our own hard drives, meaning if someone else ends up with your backup drive without the encryption key, the drive will be useless and the data invisible. We will pay a one-time cost for the drives and be free from recurring cloud storage costs.

Preparation

Identifying data to backup

There is no exact definition for this but generally speaking, you should backup data that is irreplaceable, would be very hard to replace, or would lock you out of critical life functions like finances, accounts, access to buildings, or the ability to earn money. I will provide my own list as an example, but yours will vary -

  • Mine and my partner’s devices - 2 phones and 2 laptops. One of these laptops is a work device.
  • Critical documents like birth certificates, social security cards, driver’s licenses, passports, tax documents, etc.
  • Bitwarden password vaults
  • Email history
  • Photos
  • Hardware security tokens

On an unrelated note, I use backup days as an opportunity to clean and refresh my devices. I believe this should be done regularly to any system to help it perform well and ensure there is no sensitive information on the device.

Backup Interval

Choose a backup interval according to your work patterns and how much important data you generate on a daily basis. Some people, like myself, don’t deal much with local files, or do local work that is automatically backed up in the cloud, or work entirely in the cloud. These types may not need to back up as frequently as those who work more with local data on their device.

I opt to perform onsite backups once a month, and offsite backups every 3 months. Choose an interval and add it to your calendar as a recurring event as a reminder.

Equipment

  • 1TB USB SSD - For onsite backup. Choose an appropriate capacity for your work.
  • 1TB MicroSD - For offsite backup. Choose an appropriate capacity for your work.
  • MicroSD adapter - to plug in offsite backup.
  • Covert Coin - To hide your offsite backup if needed.
  • A backup hardware token - If you use these to access accounts, you should have at least one backup.
  • A document scanner - I chose this one because it works with Linux, does not require any proprietary software, does not need an internet connection, and sends no telemetry. These can be acquired used significantly cheaper.
  • Scanner software. I use the default “Document Scanner” program on Ubuntu Linux. Those using a different configuration may be interested in VueScan.
  • A safe - Your needs may vary. Do not buy a used safe. If your home permits it, favor one that is large and bolts to the floor. Make it as difficult to find and remove as possible.
  • A cross-cut shredder or firepit for document disposal.

Preparation

This section should only be performed the first time. You can skip this section on all subsequent backups.

  • Create a backup encryption key - Go to your password manager and generate a sufficiently complex password that will be used to encrypt your backup drives. Ensure this is saved in your password manager with a descriptive name.
  • Disk preparation - We need to ensure the disk is encrypted and of the correct file system type. These steps only need to be performed on fresh drives. If the drive has data on it, the following steps will erase it.
    • Insert the drive into computer.
    • Open the Ubuntu “Disks” utility.
    • Find your external drive click the cog wheel in the bottom left Click Format Partition.
    • Type a name for the volume, I recommend naming them according to their purpose (onsite, offsite).
    • For Type, choose Ext4 and Password protect volume (LUKS). This will encrypt the drive.
    • Go back to the Disks utility and click next, input your encryption password and click next.
    • Wait for the operation to complete.
    • Make sure to eject drives before unplugging them.
    • Repeat this process for the offsite backup drive.
  • Configure Timeshift - Now we need to configure the application we will use to backup the computer. From the Ubuntu App Center, download Timeshift. Again, this only needs to be performed the first time you do this on your system.
    • Plug in the onsite drive.
    • Open Timeshift app.
    • Select the external drive as the snapshot location.
    • Uncheck all scheduled snapshot intervals.
    • Include all files from user home directories.
    • Click finish setup.

Documents

Any important documents should be scanned and saved on your encrypted backup drives. The documents themselves should be stored securely in a safe. I choose not to keep any copies of documents on physical mobile devices. Those who need frequent quick access to these documents might need to create a solution for that.

When sorting your documents for the first time, ensure to burn or cross-shred any documents you don’t keep.

Your choice of scanner and scanner software has privacy and security implications. See the Equipment section for details.

Backup Process

This is my own process that backs up my computer, phone and a few other things. Your process may vary, use this one as a template.

  1. Computer cleaning - As stated, I use backup day as an opportunity to clean my device.
    • Run Maintenance Script - this script updates the OS and all applications at once. It is suited for Ubuntu 24.04. An AI tool can help you modify this script for your specific OS. Paste the Maintenance Script into a terminal and run it. Optionally save it with a .sh extension and run it as sudo ./maintenence.sh.
      • ProtonVPN requires NextDNS to be off to fetch upgrade packages
    • Download the BleachBit file system cleaner.
      • Open BleachBit as administrator.
      • Check every box except “Free disk space”
      • Click the “Clean” Button.
    • Manual maintenance
      • Update Cursor IDE - this is a specific program I use that needs to be manually updated.
      • Go through Home folders like Downloads and Documents. Move any important files to the onsite backup drive. Delete any junk.
      • Empty trash
      • Close any browsers (with the setting to Delete cookies and site data when browser is closed)
      • DANGER - Run docker system prune --all
      • Open and run the Disk Usage Analyzer and look for anything unexpected
    • Restart computer
  2. Misc backups - This is probably not necessary every time, but I occasionally backup a couple of other things
    • Export Bitwarden password vault
      1. Open Bitwarden Settings Vault Options Export Vault
      2. Choose json, provide your password and export
      3. Save to backup drive
    • Export Protonmail email history with export tool
      1. Download the export tool
      2. tar -xvzf proton-mail-export-cli-linux_x86_64.tar.gz
      3. ./proton-mail-export-cli Follow the prompts
      4. Save the export to the backup drive
    • Scan and save any new paper documents accumulated since last backup.
  3. Backup the computer. From the Ubuntu App Center, download Timeshift.
    1. Plug in the onsite drive.
    2. Open Timeshift app.
    3. If you don’t see any snaphots, go to Settings Location and select your onsite drive. If you have other backups on that drive, you should see them now.
    4. Click Create.
    5. Wait for the backup to complete. If this is your first time, a new directory called “Timeshift” will be generated to hold your backups. In that directory, under the “snapshots” directory, verify the new backup exists.
    6. If desired, select and delete old backups through timeshift.
  4. Backup the phone. This process is for GrapheneOS devices.
    1. . Plug in the phone to the computer.
    2. On your phone - Go to Settings About Phone Tap the Build number button over and over until developer mode is turned on.
    3. Go back to Settings System Developer Options Turn on USB Debugging. Allow the connection on your phone.
    4. In your computer terminal, run adb shell ls /sdcard and verify the phones files can be read.
    5. I take this opportunity to move all photos from my phone’s gallery to the photos directory on the onsite drive. Copy the photos from phone to drive -
      1. adb pull /sdcard/DCIM/Camera/. /media/conner/Backups/'Conner Photos'.
      2. Check that this operation was successful before moving on.
    6. Delete photos from phone -
      1. adb shell "rm -r /sdcard/DCIM/Camera/*"
      2. adb shell "rm -r /sdcard/Pictures/Screenshots/*"
    7. Backup the phone -
      1. Plug the phone into your computer with a USB cable and run adb backup -all -system -apk -keyvalue -obb -shared -f backup-conner-android.ab
      2. No need to encrypt this file, because the drive we will store the backup on is encrypted
      3. Unlock your device and confirm the backup operation
      4. This will create an encrypted backup image of your phone named backup.ab in the directory where you ran this script.
    8. Rename and move the file to the backup drive, delete the old backup - sudo mv backup-conner-android.ab /media/conner/Backups/Backups
    9. On your phone, unplug from the computer and go to Settings System Developer options and turn off Use developer options
  5. If you are updating offsite backup - sync the onsite drive to the offsite drive.
    1. Plug in both the onsite and offsite drive to the same computer. Unlock both drives with encryption password.
    2. Get the mountpoints of your two drives by running lsblk -o NAME,SIZE,LABEL,UUID,MOUNTPOINT.
    3. Get the paths to the mountpoints of the two drives. Double check the names of the mountpoints, the first one should be the drive with the latest backups, the second the one with the older backup. If you swap these you will lose the work you’ve done in this guide up to now.
    4. Run sudo rsync -avh --progress --delete /media/user/Onsite/ /media/user/Offsite/. For my own reference, mine is sudo rsync -avh --progress --delete /media/conner/Backups/ /media/conner/Backup/. This command deletes files in the destination that are not in the source, resulting in a perfect duplication of data between drives.
    5. Unmount both drives and remove.

Photos

I store my photos on a media server that can be accessed with Jellyfin. This is a very custom approach I do not necessarily recommend, it is just the easiest solution for me at the moment.

All photos stored on encrypted desktop computer and accessible from a Jellyfin server. In the process above, added new photos to the onsite drive.

  1. To update the desktop computer, plug in the onsite drive, copy the photos directory and overwrite everything.
  2. To keep the photos secure over the network, create a Jellyfin user specifically for photo viewing. Assign photo library permissions to only this user.
  3. Threat model - if the desktop computer is stolen, the pictures are on an encrypted drive. If the phone is stolen which is connected to Jellyfin, the daily driver user that we are usually logged into for music does not have access to the photo libraries.

Backup Storage

Now that we have backups of our devices, let’s revisit the original plan and consider how we will configure our devices and store our backups.

  • Primary - the original data
    • Phone -
      • GrapheneOS phones are automatically encrypted when the phone locks. For added security, set a 6 digit pin to unlock the phone. 6 digits is harder to brute force than 4 digits.
      • Do not use biometric locks. Law enforcement can legally compel you to open a biometric lock.
      • Set screen timeout to a short period - 15 - 30 seconds.
      • To state the obvious, never leave your phone unattended in public.
    • Laptop -
      • Linux computers can be encrypted with FDE. Drives are encrypted when you shut down the computer, not when it is locked. Ensure that the computer is powered off at night or when it is not on your person outside your home.
      • Set screen timeout to a short period 5 - 15 minutes.
      • Do not use biometric locks.
      • Never leave your computer unattended in public.
      • Be aware of your surroundings when accessing sensitive data in public. Orient yourself so there are no people or cameras behind your screen.
    • Physical paper documents -
      • These should be stored in a safe in your home
  • Onsite backup -
    • All devices and document scans live on this encrypted drive. If someone were to find this drive, it would be useless without the encryption key. Thus, it is not entirely necessary to store this in a safe, but I prefer to.
  • Offsite backup -
    • Store this encrypted drive at least a few miles away from your home. This mitigates risks of data loss from local natural disasters or total home destruction.
    • Opt to store it in the home of someone you trust. If this is not possible, choose a location that you control or is not accessed by others. If you need to hide the drive, put it inside of a covert coin. Remember that since this drive is encrypted, it will be useless if found.
  • Hardware tokens -
    • I keep 2 backups of my hardware tokens, one in my safe at home and one in the same location as the offsite drive.

Recovering data

In the event of data loss, you can restore backups of your devices from your backup drive.

Linux computer restore

  • Open Timeshift and select “Restore”
  • !TODO

GrapheneOS phone restore

Graph View

Backlinks