Easiest way to make an encrypted external hard drive?

Sat Feb 5 15:50:54 UTC 2011

Hey, I'm trying to find out what is the easiest way to make an
encrypted backup of my Ubuntu home dir onto an external hard drive.
There are so many options, the main ones seem to be: TrueCrypt,
ecrypt-fs/Ubuntu's encrypted home option,
dmcrypt/luks/cryptsetup/cryptmount.

TrueCrypt looks like it's probably the easiest to use and it works on
other platforms (e.g. Windows and OS X) as well. But it has a dodgy
license, and does not ship with Ubuntu or Debian.

Ubuntu's encrypted home directory is very easy to use as it's built
into Ubuntu. I think I could make an encrypted backup of my encrypted
home dir by just rsyncing /home/.ecryptfs/seanh/.Private to an
external drive. There are various how-tos on blogs for recovering from
such a backup (i.e. decrypting and mounting the backup from a LiveCD
or a newly installed system), but they seem pretty complicated. Good
documentation on this seems pretty sparse, and I have unanswered
questions. Is it safe to mount a backup of the encrypted home dir on a
non-encrypted system that might not have encrypted swap? What about
the wrapped passphrase files, is it safe to back these up to somewhere
like Ubuntu One or Dropbox, rather than writing down the (decrypted)
passphrases as Ubuntu tells you to do?

I don't think a backup of an Ubuntyu ecnrypted homedir would be
readable on non-Linux systems.

I found several tutorials on blogs about creating an encrypted
external hard drive using dmcrypt/luks/cryptsetup/cryptmount. Looks
slightly tricky, but maybe it is the way to go. Can be used on Windows
also.

One option would be to avoid the need to have an encrypted external
drive at all. Keep sensitive files only in secure locations, such as
in encrypted Ubuntu homedirs, and backed up to remote locations that
store with encryption such as Dropbox and Ubuntu One. The external
hard drive would then be used only to backup non-sensitive stuff,
unencrypted. This also means that I don't have the worry of some bug
in the encryption software corrupting the entire encrypted backup
drive and making the whole thing unreadable (I've heard stories). But
it means I'd have to be careful not to accidentally backup any
sensitive data onto the drive, and to make sure that all the
non-sensitive data _does_ get backed up. I can't simply backup my
entire homedir and get everything. Still, I can invent a simple scheme
for managing that and try to stick to it. This avoids the whole
complicated issue of having to select and learn a disk encryption
tool. Might be the best option.

Any thoughts or suggestions?