I’m planning to setup backup on my nas with the 3-2-1 backup rule.
For the backup disks I want full disk encryption, but I also want to be really sure that I don’t lose the encryption keys if I lose my phone and computer where I have my password manager.
What is a good practice to store the encryption key(s)?
One thought I had was to have an unencrypted partition on the backup disks that stores an encrypted keepass database with the key.
Any tips or experiences are welcome.
PS. I want to avoid cloud-based options.
A chain is as strong as its weakest link. If you store your encryption keys in plain text in an unencrypted partition you are not very resilient against an attack.
There is no general advise for security, you always have to frame it in a treat model. What do you use encryption to protect for?
If you want to be able to safely dispose the drives without having to wipe them, storing the keys in a different drive (not partition) could be good. If you want to protect your data against physical thief, storing the decryption keys in plain text in the same server doesn’t make sense.
If you want to protect by a state sponsored actor, keep in mind https://xkcd.com/538/
Something you have to consider is how likely your drives and your encryption keys can be stolen together. How quickly you can realize that only one of them got stolen, and how quickly you can protect the other one to keep you data safe.
A simple approach could be: print them down and put them in a safe box, maybe at a trusted relative or friend’s home. But again, it boils down to what do you want to protect most, because there is no definitive answer to your question
Also, keep in mind that really good passwords can be easy to remember or recover. Pick your favourite book at home, get the last word of the first 10 chapters and put all of them together. You get a password that is impossible to bruteforce, literally written in your home but impossible to guess for anyone else but you. Of course it won’t be easy to type. But is still a good main password for a password manager which stores all the others.