I’m planning to setup backup on my nas with the 3-2-1 backup rule.
For the backup disks I want full disk encryption, but I also want to be really sure that I don’t lose the encryption keys if I lose my phone and computer where I have my password manager.
What is a good practice to store the encryption key(s)?
One thought I had was to have an unencrypted partition on the backup disks that stores an encrypted keepass database with the key.
Any tips or experiences are welcome.
PS. I want to avoid cloud-based options.
I don’t do full disk encryption on my backups. I use duplicity and encrypt the backups with three gpg keys: one that is for the IT department with a known passphrase, one for the business with a different known passphrase, and my personal key.
I’m a one man show but I set this up with the future in mind. Different data might not have all three keys, but this arrangement allows me to spin off bits of the data management as needed. The passphrases can be changed as/when needed without invalidating old backups.
Combined with ssh certificates it helps organize my IT needs.