I’m planning to setup backup on my nas with the 3-2-1 backup rule.
For the backup disks I want full disk encryption, but I also want to be really sure that I don’t lose the encryption keys if I lose my phone and computer where I have my password manager.
What is a good practice to store the encryption key(s)?
One thought I had was to have an unencrypted partition on the backup disks that stores an encrypted keepass database with the key.
Any tips or experiences are welcome.
PS. I want to avoid cloud-based options.
If you’re using LUKS don’t forget you can dump/backup the header. It isn’t the encryption key but is critical if you accidentally do a stupid. As to the keys themselves, how about convert them to qr codes, print them, and store them in a safe.
Never crossed my mind, but that’s a good idea. Might have to implement that on my next rotation.
This is smart.