'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- Backing up your data
- Full encryption of external disks and media
- Selective file encryption
Protecting your personal data is an important part of ensuring your digital sovereignty, privacy and security. The risks to your data are manifold: hacking, loss of hardware or even physical seizure. By implementing effective backup and encryption strategies, you can avoid most of these potential threats.
In this chapter, we'll look in detail at how to back up and encrypt your data, as well as clean up sensitive information on your documents.
Backing up your data
Why back up your data?
Regular backup of your personal or business data is an absolutely essential security measure, often neglected until it's too late. Contrary to popular belief, backing up data is not an optional or company-only task: it concerns every computer user. Whether you have work documents, family photos, personal documents or any other sensitive content, this data can suddenly disappear for any number of reasons:
-
Hardware failure: HDDs and SSDs have a limited lifespan. Without warning, they can fail, rendering data inaccessible.
-
Computer attack: some malware, particularly ransomware, encrypts your files locally and demands a ransom in exchange for the decryption key. Without an independent backup, you're at their mercy.
-
Human error: mishandling, accidental deletion or unintentional formatting can lead to irreversible loss.
-
Physical disaster: fire, water damage, theft or even a power surge can render your equipment unusable in an instant.
That's why you need a rigorous, planned and resilient backup strategy.
The 3-2-1 method: a robust safety standard
The "3-2-1" rule is a recognized standard in IT security. It's based on simple but highly effective principles that guarantee fault and incident tolerance. Here's how it works:
-
3 copies of your data: this includes the original (the files on your computer) and two additional backup copies.
-
2 different storage media: the aim is to avoid a hardware problem affecting all your media at once. For example, an external hard drive + a cloud; or a NAS + your computer.
-
1 off-site copy: this copy must be located away from your main premises (at a relative's home, on a remote server, in a secure cloud...). It protects you against local incidents such as fire or burglary.
Let's take the example of a standard user, Alice, who wants to secure her personal data.
Alice keeps a version of her files on her laptop, where she uses them daily. In order to have at least two separate media, she regularly (every Monday, for example) copies all her data onto a USB stick, which she keeps at home. To protect herself against the theft of her files in the event of physical loss or theft, Alice encrypts this USB stick using suitable software (we'll see how to do this later in this chapter).
With this configuration, Alice is already protected against many common threats. However, one risk remains: in the event of a fire or burglary at her home, her two local copies (the computer and the USB stick) could disappear at the same time. To mitigate this risk, she decides to use a cloud storage service, to which she also synchronizes her files on a regular basis.
Alice thus respects the 3-2-1 rule: it has 3 copies of its files (computer, USB key, cloud), stored on at least 2 different media (internal disk, USB key, remote server), with at least 1 off-site copy (the cloud server).
This strategy guarantees excellent resilience: if her computer crashes, she can restore her files from the USB stick or the cloud; if the cloud storage provider suffers a major breakdown, she still has her files locally; and even in the event of a burglary where her laptop and USB stick are stolen, she can recover her data via the cloud service.
Automate to avoid forgetting
One of the best ways of ensuring good backup hygiene is automation. Configure your tools so that backups run automatically according to a schedule (every night, every week...). This prevents oversights and guarantees continuity even in the event of temporary unavailability on your part.
In practical terms, there are several ways to automate your backups. You can, for example, create a Python script that runs automatically to copy your data to an external medium. It's a simple, customizable solution.
If you have a NAS, tools like Syncthing or Rclone allow you to automate backups within your local network, without using the Internet.
To automate backups to a cloud service, you can use integration software provided by the provider itself. One example is Proton Drive, which offers a synchronization client to automatically copy your local files to the cloud. You can also opt for more flexible software like Duplicati, which lets you schedule encrypted backups to numerous remote services (Dropbox, Google Drive, Proton Drive, FTP, WebDAV...).
Remember also to test your backups regularly, i.e. to check that you can restore them. A backup is useless if it's corrupted, incomplete or illegible.
As well as ensuring the resilience of your data, it's equally important to protect access to it. In fact, resilience and security are often in tension: the more copies you make of your files, the more you increase their attack surface, and therefore the risk of an attacker gaining access to them. That's why encrypting your data is an essential step. Let's take a look at how to put it into practice.
Full encryption of external disks and media
One of the pillars of personal computer security is the encryption of stored data. In particular, full encryption of media such as internal hard drives, USB sticks or external disks ensures that, even in the event of theft, loss or physical compromise of the equipment, no information can be read without the decryption key.
Why is it essential?
When a storage medium is not encrypted, simply plug it into any computer to gain immediate access to its contents. There are no barriers to protect files. This means that if your laptop is stolen, or if you lose a simple USB key, someone with malicious intent could access your personal documents.
Beyond the privacy issues at stake, your files can also represent a real security risk. Let's take a concrete example: if your backups contain a copy of your identity documents, an attacker could exploit them to impersonate you, open bank or crypto accounts in your name, or even take out bank loans in your name. This type of information leak can have serious consequences, both personally and professionally.
Full encryption is like a lock: as long as the password is not provided, the data remains unusable. Even an attacker equipped with specialized data recovery tools won't be able to extract anything without the key.
What technical solutions does your system offer?
- Linux (Debian)
Under Linux, the standard solution is LUKS (Linux Unified Key Setup). LUKS is an encrypted volume management system integrated into most distributions. When the system is first installed, you will generally be prompted to encrypt the entire computer disk. Of course, I strongly recommend that you activate this option. Once encryption is enabled, the system will ask for the password at every boot, even before the OS loads. This ensures that physical access to the disk cannot bypass security.
If you wish to encrypt an external disk or USB stick, this can also be done from the command line or via the graphical Interface. The disk will have to be formatted, so all existing data will be lost if not backed up first.
Via terminal
Make sure you have the cryptsetup package installed:
sudo apt update sudo apt install cryptsetup
Start by identifying your USB key with the following command:
lsblk
You should see a device like
/dev/sdb with an associated partition, for example /dev/sdb1. Be careful to select the right disk, as it will be erased!To encrypt the key, run the following command to initialize encryption:
sudo cryptsetup luksFormat /dev/sdb
Type "YES" in uppercase to confirm the operation, then choose and confirm a strong passphrase. This password will enable you to access your data: remember to make a backup, as without it, access to the key's data will be permanently lost.
Unlock and open the volume:
sudo cryptsetup open /dev/sdb encrypted_usb
You'll need to enter your passphrase to unlock the volume.
encrypted_usb is the name given to the decrypted volume.Then format the decrypted partition. For a native Linux format:
sudo mkfs.ext4 /dev/mapper/encrypted_usb
Or, if you want compatibility with Windows:
sudo mkfs.vfat /dev/mapper/encrypted_usb
Mount the key for use:
sudo mkdir -p /mnt/usb sudo mount /dev/mapper/encrypted_usb /mnt/usb
You can now access your key via the
/mnt/usb directory, and read and write files just like on any other volume.To disassemble and re-encrypt the key:
sudo umount /mnt/usb sudo cryptsetup close encrypted_usb
You can then safely remove your USB key.
For future use of your USB flash drive:
sudo cryptsetup open /dev/sdb encrypted_usb sudo mount /dev/mapper/encrypted_usb /mnt/usb #### … you work on the usb … sudo umount /mnt/usb sudo cryptsetup close encrypted_usb
If you wish, you can also automate this sequence using Python or Bash scripts.
Via GNOME Disks:
The other solution is to use the GNOME Disks software with its graphical Interface, which is often simpler than using the terminal. Normally, this utility is already pre-installed on Ubuntu. If this is not the case, you can install it manually with the following command:
sudo apt update sudo apt install -y gnome-disk-utility
To open the software, go to Ubuntu's applications menu and search for "Disks". It's usually found by default in the "Utilities" directory.
In the left-hand column, locate your USB key. If a partition already exists, select it; if not, create a new one: click on the "+" button below the list of partitions.
Then select the partition to be encrypted. Click on the cogwheel icon, then choose "Format Partition...".
In the:
- In "Volume name", enter a name (e.g.
usb); - Select the "Internal disk for use with Linux systems only (Ext4)" format;
- Check the "Password protected volume (LUKS)" box.
Enter and confirm a robust passphrase.
Confirm and wait for the partition to be completely formatted (all data will be deleted).
Once the process is complete, the partition appears with a small padlock. Select it, then click on the padlock to unlock it.
Enter the password, then click on "Unlock".
The volume will be automatically mounted and accessible from your file manager, usually in the
/media/username/usb directory.To unmount the USB key and reactivate encryption, click the padlock icon again in GNOME Disks.
Finally, click on the arrow-shaped button in the top right-hand corner to eject the key cleanly from your PC. The next time you log on, Ubuntu should automatically detect your encrypted key and ask you for the password, without having to open GNOME Disks.
- Windows:
Under Windows, a native solution allows you to encrypt your disk. It's easy to activate: just go to the "Privacy & Security" settings, then tick the "Device encryption" box in the sub-menu of the same name. The recovery keys will then be automatically saved in your associated Microsoft account.
If you're using a local account, or if your machine doesn't support this feature natively, you can set up BitLocker manually (Microsoft's proprietary encryption software). But there are also open-source alternatives such as VeraCrypt.
VeraCrypt is free, cross-platform software compatible with Windows, Linux and macOS. It can be used to encrypt an entire disk or partition, or to create a container file that acts as a secure virtual disk. VeraCrypt's Interface allows this volume to be mounted like a conventional disk, accessible only after authentication.
To learn more about this solution, please consult this complete tutorial :
- macOS :**
On macOS, system disk encryption is based on FileVault, a native feature accessible from the security settings. If your Mac is equipped with an Apple Silicon chip (M1, M2...) or a T2 chip, hardware encryption is already permanently enabled. However, activating FileVault adds an extra layer of security by encrypting the entire system volume.
Once FileVault has been activated, you'll need to choose a recovery method in the event of password loss: either use your iCloud account, or generate a unique backup key. This key must be kept in a safe place, as its loss would render your data permanently inaccessible.
For external storage media (hard disks, USB sticks, etc.), encryption is performed using the disk utility. You will need to completely reformat the volume:
- Select the device, click on "Delete"
- Select the "GUID Partition Table" scheme
- Then choose an encrypted file system format (APFS or Mac OS extended)
- Choose a strong password
- Click on "Delete" then "OK" and encryption is complete
Once encryption is in place, the external drive can only be mounted by entering this password. The system will then decrypt it on the fly.
A few recommendations for your encrypted backups
Before encrypting a medium, you need to back up all the data it contains (unless it's empty, of course), as the encryption procedure generally erases the initial contents.
The choice of password is also very important: it must be long, complex and unique, as it is the only protection between your data and a malicious third party. You also need to make a backup, for example in a password manager, because unlike online services, there is no recovery mechanism. If you forget your password, the data is lost for good.
Selective file encryption
In some cases, it is neither necessary nor practical to encrypt an entire hard disk or external media. In such cases, you can opt for selective encryption, which involves securing only certain files or directories containing sensitive data.
One of the best-known methods for encrypting files is to use GPG. This tool is based on asymmetric cryptography: you have a pair of keys, one public, which you can distribute freely to your correspondents, and the other private, which must remain strictly secret. Files are encrypted using the recipient's public key, but can only be decrypted using his or her private key.
This protocol is perfect for exchanging sensitive files securely with others, without sharing a password. For personal or occasional use, GPG also enables symmetrical encryption: the file is then protected by a unique password known only to you.
An excellent alternative is Cryptomator. This open source software allows you to create a safe: a special directory in which all files deposited are automatically encrypted. This safe can be synchronized with cloud services such as Dropbox, Google Drive or Nextcloud without the provider ever having access to the unencrypted data. The application is available on all operating systems, including Android and iOS, and requires no special technical skills to use.
Finally, it is also possible to use VeraCrypt in container mode, which creates a file that acts as an encrypted archive, mountable like a disk.
Now that you've learned how to protect your personal data against loss and theft, the next chapter looks at another important aspect: how to prevent your personal files from becoming attack vectors through their metadata.
Quiz
Quiz1/5
scu2023.4
When automating your backups, what essential precautions need to be taken on a regular basis?