Giving a few thoughts of mine on this, since creating a data backup setup was a thorn in my foot for a while.
-
Encryption Tools: There are some key differences between VeraCrypt and Cryptomator that are worth pointing. As it stands Cryptomator does not support key files nor hardware keys for accessing the containers, while VeraCrypt does provide those options. Additionally Cryptomator uses containers with flexible storage, which changes depending on the files you place into it. VeraCrypt’s container size on the other hand is fixed, so you have to define it first. VeraCrypt also supports hidden containers, which Cryptomator currently does not. My recommendation is to use Cryptomator locally on your device, which grants you some additional protection should your physical device ever be compromised and in the hands of bad actors. You can use it as an alternative to your default home folders, such as Downloads and Documents, and thereby have a second layer of encryption for any general files. The reason I recommend it for that purpose is due to its flexible storage, while with VeraCrypt you are going to run into the issue of either giving the container too little space or too much space.
-
Backups: General rule of thumb is to maintain 3 back ups, including 2 offline and 1 online backup of any files. HDDs are preferred for local backups. However, instead of backing up everything and anything, you may want to separate some of your data and compartmentalize rather than using 1 container and 1 password for absolutely everything. Make a list of absolutely critical files, for example photo copies of your IDs, password databases, and potentially a video capturing everything inside your home in the event of a fire (comes in handy for home/renter insurance). Any critical files should be in one bucket while all other files, which you can slice and dice however you like, should be in another. You can backup both types of files to the same cloud storage and HDDs, however by splitting them up you aren’t required to always have 1-4 TB of backup storage available, instead you can keep any critical files within the single-digit GB range. This makes it much easier to backup the critical files to other locations.
-
Cloud Storage: For cloud storage, it doesn’t really matter what provider you use as long as they are known for a higher level of security and stability. Even though I constantly read debates on which cloud storage provider to use for privacy purposes, it really doesn’t matter. Fundamentally you are entrusting another entity with your files and are uploading them to someone else’s computer. There is no provider in this space that you can 100% trust and rely on to keep your data safe and not share or forward it to 3rd parties.
Therefor, you want to take the approach of using password-protected VeraCrypt containers AND use key files and/or a hardware key. The reasoning here is to counter Harvest Now, Decrypt Later. This should be your default policy when uploading your containers to anyone else’s machine. Any provider can technically store your files for an indefinite period of time and once uploaded, you are giving up some control over your data. If you use a password, key file, and a hardware key, it becomes virtually impossible to decrypt the containers. In this case, it doesn’t matter what cloud storage provider you choose, including Proton, Dropbox, OneDrive, or even Google Drive, since you always give up some control, but you can mitigate any of the security risks by using the above mentioned process.
So when looking for a cloud storage provider, you want to change your criteria.
Important questions to ask:
- Does the cloud storage have a history of suspending access, especially for frivolous reasons? (e.g. Google locking out a family out of their Google account due to a false alert by their CSAM scanner)
- Answer should be “No”
- Does the cloud storage provider have a history of unexpected and unintended loss of data?
- Answer should be “No”
- Does the cloud storage provider have a routine backup policy?
- Answer should be “Yes”
- Have there been any reported cases of the cloud storage provider sharing your personal data with 3rd parties (not including your uploaded data).
- Answer should be “No”
- Does the cloud storage provider require a lot of personal information during the registration?
- Answer should be “No”
- Does the provider delete the account after X period of inactivity?
- Answer should be “No”, however this policy is pretty common. Look up the policy and keep it in mind.
- Hidden Backups: This is a policy I rarely see anyone talking about, so I want to bring up the value of hidden backups. A hidden backup is one that nobody except you knows about even exists. I’m mostly referring to remote backups in this case, but there are some other offline options as well such as getting a fake coin into which you can place an SD card into. (https://www.instructables.com/Hidden-compartment-in-a-coin/)
Since the above article discusses the coin option, I’ll explain the online option. If you need to backup any critically important files, you can use Tor to sign up at a cloud storage provider of your choice, including Proton, Woelkli, or some other provider. If you use Tor throughout this process, including uploading your files, then nobody knows that those files exist and belong to you. This is a great way of saving some of your most critical files in a catastrophic event, such as your cloud storage providers suspending your accounts and losing access to any and all physical devices and backups.
Keep in mind that some of the providers above have an inactivity policy. Proton deletes accounts after 1 year of inactivity, however you can mitigate this by simply paying for a one-time subscription and then cancelling it. See their policy: Inactive accounts | Proton
-
Don’t lock yourself out: Manage your master passwords well and make sure to apply them properly. If you only have access to your passwords through a local password manager and you need the password manager to access online backups, this is a recipe for disaster in a catastrophic event. Make sure you always have access to your password managers and that you always have an online backup of them. If a fire burns down your house and all of your offline hardware, you need to be able to access your password manager in some way, else you’ll lose access to just about everything, which would make a catastrophic event even worse.
-
Key files and hardware keys: You can generate key files in a number of different way, in fact you can use virtually any file as a key file. However, you can also generate key files using VeraCrypt tools or KeePassXC. I recommend keeping your key files separate from your cloud storage backups. For example, if you upload a VeraCrypt container to the cloud and upload the key files to access the container right next to them, then that beats the entire point of using key files. Therefor you want to safeguard any key files that you use and keep them backed up completely separate. Consider creating a few hidden backups for them.
For the hardware key, the only key I recommend is OnlyKey (https://onlykey.io/) given that it requires a pin. After 10 failed attempts, it becomes unusable. Maintain some easy-to-access backups of the OnlyKey, similar to the key files.