Backing Myself Up Using CrashPlan, TrueCrypt, and Hamachi

by Bob Plankers on April 3, 2012 · 10 comments

in Cloud,Storage,System Administration

For a long while now I’ve been looking for a decent & automatic way to protect the data on the multitude of computers I support in my personal life. I’ve been using a hodgepodge of external disks and synchronization software to keep a spare copy of my data, photos, and media, but with the impending birth of my daughter I figure I’m not going to have time or the willingness to mess around with kludgy solutions anymore. I also don’t want to run the risk of data loss when it comes to things my relatives would judge me on. “What do you mean you don’t have the video of her <doing some activity>?”

I stumbled upon CrashPlan a few weeks ago and instantly took a liking to it. The client is free, works on Windows, Mac OS, Linux, and Solaris, and can back up between computers, to drives, and to friends for free, with full encryption support. The paid side of the service is the cloud backup and some advanced features in the client, like “backup sets.” Backup sets are really just multiple source/target/schedule combinations, that’s all, but it’s handy if you want to back your photos up locally but send your documents up to the cloud.

I really like that they have an unlimited data family plan, up to 10 computers, which is pretty inexpensive (like $6 a month) if you decide to pony up for 4 years of service. The downside to that is that it’s one account that can see all the data backed up into it, so if you think that this would be a good way to back up your brother-in-law’s computer you need to make sure you trust that he’s not going to go trolling through all your data. You can set passwords on the local client, though, and passwords & keys on the uploaded data, which trade ease-of-use for more privacy.

The cloud backup part is a little pokey, though. It’s been getting 500 Kbps from a Linux host I have attached to a decent network connection, which means it’s going to take 19 days or so to back up the 100 GB of data I have there. That’s fine if there’s not a lot of change, but might be a problem if I have big files changing regularly. CrashPlan has a seed option, too, where you can pay for a drive to be sent to you with either a restore archive already on it, or for you to create an archive and mail it back. If you’re active duty U.S. military the service is free, just send them an email from your .mil address. Restores seem to be pretty speedy, which is good. Backing up is really about restoring, after all.

One of the other things I’ve always lusted after in my own personal backup solution is heavy-duty encryption. Cloud backups are neat and all but I don’t trust any providers to not turn over my data to the government or other people. The way I’m thinking about running the cloud backup part of Crashplan is where they escrow the encryption keys, and I just provide a password, which means that my keys are in a subpoena-able position. Not that I’m doing anything illegal, but that’s not the point. With the recent U.S. Appeals Court ruling that memorized encryption keys are protected by the U.S. Constitution’s fifth amendment I see the door opened to protecting myself a little more thoroughly, if there isn’t a cloud provider in the middle to wuss out and turn all my stuff over. So here’s what I’ve done.

1. I set up an older low-profile Dell desktop PC to run Windows 7, and added a USB 3.0 card to it. I bought two 3 TB external USB drives and connected them. Using the disk management functions I created a simple volume on each, did not format it, and did not mount it. With Windows 7 you can’t make anything attached via the USB controller a dynamic disk, so if you dream of RAID sets or mirrors you need to do this with internal drives.

2. I installed LogMeIn’s Hamachi software, which is an excellent & free mesh network VPN solution. I’ve been using this to enable Remote Desktop to all my PCs for years, but you can run other things across it, too. I installed this on all the hosts I intend to back up to the target PC, and on the PC itself. You can only have 5 hosts in a mesh layout with the free version, but for me that’s enough. If you need more it’s $20 a year for 32 hosts in a network.

3. I used TrueCrypt to encrypt both external drives. You have two options when doing this, to create a normally-encrypted volume, or a hidden volume. A hidden volume is a volume within a volume, which can be used to pretend that you’ve decrypted the volume for someone, when really there’s another hidden “compartment” of sorts. There is some trickiness to hidden volumes, and I figure if someone comes looking for my data they’ll be able to figure out what I’ve done, so I stuck with normal encrypted volumes. I mounted one drive as Z: and the other one as O:, labeling them “Local Repository” and “Offline Repository” respectively. I created a folder on Z: called “CrashPlan Remote Backups.”

On reboot these volumes won’t auto-mount, because they require the volume passphrase, but with Hamachi & Remote Desktop enabled I can get in remotely to remount them.

I did not write my encryption passphrase down, since the legal protections don’t extend to that. This presents a bit of a problem, if I were to forget it or die or something. Ideally I’ll find a phrase that my wife can remember, too, without writing it down.

4. I set CrashPlan on the PC to call itself “BACKUP_TARGET” and set the amount of allowed CPU usage to 90% at all times (away & present).

In the Inbound backup settings I set the Listen Bind Address to the Hamachi private IP for the host, and changed the default backup archive location to Z:\CrashPlan Remote Backups.

In the Backup settings tab, I configured the Advanced settings for automatic compression (rather than “On” — I’m assuming the client is smart and in automatic mode won’t blindly compress already-compressed file formats).

On the Security settings tab I checked “Require account password to access…” and set the Archive Encryption to “448-bit encryption + password.” Note that when you do this you will never be able to go back down from that, and you won’t be able to reset it if it’s lost. This option means that CrashPlan will escrow the encryption key for you and you gain access to the key via your password. The higher-security option is where you maintain your own encryption key per computer, which is great for compartmentalization and can keep PCs from being able to see each other’s backup data, but is more of an administrative headache. I thought the middle setting was a good tradeoff.

On the Network settings tab I told it to not bind to anything but the Hamachi network adapter. I want all backup traffic going across the VPN. This way, anybody not on my private network cannot communicate with the backup server, either. I also removed all WAN & LAN throughput limits.

5. I installed CrashPlan on all the PCs, set them to have a client password, and disabled inbound backups. I chose the folders I want to back up on each host (usually just the C:\Users directory). On laptops I set it to stop when the battery level reaches 50% (rather than the default 20%, figuring that’ll give us better battery life), and removed the network sending (throughput) limits for the WAN.

In the Backup settings tab, I configured the Advanced settings for automatic compression.

I then went to the Destinations->Computers tab, selected BACKUP_TARGET, and clicked the Start Backup button.

6. When I got a good backup on all the hosts and things were idle I stopped the CrashPlan service on the target PC and synchronized my Z: drive with my O: drive, using Super Flexible File Synchronizer. I then unmounted that and took it to a separate PC where I tested remounting it with TrueCrypt and attaching the archive to the CrashPlan client to make sure I could restore from it. You can do that if you assume the identity of the backup PC when you first install Crashplan. Of course, when I’d assumed the identity on the new PC and wanted to put it back on the backup PC I had to delete the C:\ProgramData\Crashplan\.identity file and restart the client, so it would offer to assume the identity again.

I took the offsite disk to a safe deposit box, along with the power adapter and USB cable.

7. In the medium term I’ll probably purchase another 3 TB external drive and use it to swap out the one in the safe deposit box, reducing the number of trips I need to make. I also intend to measure the amount of changed data every week to see if a monthly remote swapout is okay, or if I should plan to do it more frequently. I am also maintaining a folder with a copy of TrueCrypt and Crashplan software so it’s part of the offline copy, just in case. I may also place a copy of a KeePass archive in there, so my passwords to things are accessible to my wife in case something happens to me.

I also ended up signing up for the 4 year family unlimited plan for CrashPlan Central backups, mainly so I can maintain a backup for my in-laws that way, and if something happens to me my brother knows the password to the accounts. This also gives me some of the advanced features like backup failure notification and backup sets, which I can see myself using in the future.

So far I’ve been pretty happy. Initial backups take forever, even locally, but it’s been pretty solid since. And that’s exactly what I wanted: something I can set & forget. Minus the offsite copy, of course.

Additional links:

  • StorageMojo’s Robin Harris has a good post, “How to hide files from the law,” up on ZDNet that goes through the recent U.S. Appeals Court ruling that divulging an encryption key stored in your own memory is protected under the U.S. Constitution’s Fifth Amendment. The Fifth Amendment protects a U.S. citizen from incriminating themselves with their own testimony.
  • CrashPlan is obviously at www.crashplan.com.
  • TrueCrypt is very cool. Love them, support them.
  • Hamachi is very cool, though I know they stole someone’s 5.0.0.0/8 to implement their service.
  • I’ve been using Super Flexible File Synchronizer for years. You can certainly use other solutions, from the built-in copy functions to rsync.

{ 10 comments }

Duane Haas April 3, 2012 at 6:03 PM

Nice write up bob, and congrats on pending baby

Bob Plankers April 3, 2012 at 6:26 PM

Thanks Duane, on both counts. Though I will say it’s a bit freaky. :)

Jeff Miles April 4, 2012 at 7:34 AM

Really good write up. I’ve been using Crashplan for a few months now, but rather than use the Cloud service, I convinced my parents (who are 500km away) the benefits of offsite backups, and now their computer is my backup target.

Now I’ve got my files securely backed up in a geographically remote location with very easy access to restore, and so do they. The only downside I see to this is that both computers need to be powered on regularly, but that was already the case for me anyways.

aharden April 5, 2012 at 12:20 PM

CrashPlan + Windows Home Server = Excellent

Bovine April 23, 2012 at 7:50 PM

I’ve been happily using NeoRouter after giving up on Hamachi because it lacked native FreeBSD support. NeoRouter lets you run your own vpn server daemon, rather than relying on Hamachi servers for coordinating your vpn clients, if that sort of thing disturbs you.

Max August 13, 2012 at 10:40 PM

Cool, many thanks for sharing,

Question, are you using “Super Flexible File Synchronizer” to block level copy (only the changes via MD5) the truecrypt volume (flat file) from one drive to another OR both drives are fully encrypted by truecrypt and mounted and just copying data from one drive to the other?

Bob Plankers August 13, 2012 at 10:56 PM

Both drives are fully encrypted, and I copy data from one to the other.

Max August 13, 2012 at 11:57 PM

Thanks for the reply back. I am wondering if “Super Flexible File Synchronizer” would do a block level file copy of the truecrypt .tc file from my local drive when dismounted to a file server on the local lan. Using dropbox, they are using block level copies for sure as a 8Gb .tc takes only a few seconds or minutes depending on how much data I added/changed/deleted in my .tc file while it was mounted. Which is really cool (and means its possible with a .tc file). So I need some type of software that can do the same locally. I think it maybe able to do it. Searching the web I found your post and was hoping to find someone who has done it with “Super Flexible File Synchronizer”.

war59312 September 19, 2012 at 4:33 PM

Hey,

“In the Inbound backup settings I set the Listen Bind Address to the Hamachi private IP for the host”

If that is the only option I select then CrashPlan reports “Network Blocked”. :(

So it seems I have to let it send traffic to my real network adapter for CrashPlan to work. Bummer!

Nice guide though, if only it worked. ;)

Thanks for the help,

Will

Dheeraj January 20, 2013 at 12:30 PM

You do know that crashplan has the option to set your own key (other than your own password), right?:
http://support.crashplan.com/doku.php/articles/encryption_key

http://tinyurl.com/a7xn65w

Comments on this entry are closed.

Previous post:

Next post: