florianlackner
/posts /about /contact

How I Do Backups

Posted on March 29, 2026  · 3 min read  ·  #fido 

 Table of Contents

Things will go wrong. And if we don’t come prepared, we’re going to lose data. Which can be anything from annoying to catastrophic. Let me show you how I keep my data secure. Let me show you how I do backups.

Basics

Backups can and should be simple. You periodically copy all your data onto a USB drive and call it a day. This setup does the trick for most people. I’d recommend it any day over not doing backups at all. However, it has two flaws.

Firstly, copying all data everytime wastes storage space and can take quite a while. If backups are slow, people will perform them less regularily. Or not at all if storage capacity is depleted.

Secondly, the data on the USB drive is not protected from unauthorized access. If you lose your backup drive, anybody can read all your data. This is undesirable, even if the stored data is only family photos. If the data is more sensitive this might even become inacceptable.

Incremental backups

Let’s solve problem one first. Ideally, we only want to copy what’s changed onto the backup drive. This keeps every backup small, yet complete. Modern filesystems offer snapshot functionality, where we can keep several versions of files and folders on storage and share space if possible.

I’m using Btrfs on my computer and on my backup storage. I’m using the wonderful tool btrbk to do the actual work. You can find my config here. All I have to do is to attach my external USB disk and call the tool from time to time.

btrbk will copy only what has changed onto the USB drive. It’ll create one Btrfs subvolume per backup. Those appear like normal folders on your computer. The actual space is shared though. So even if it looks like several copies of all your data, it’s actually a perfectly space-efficient data structure. But btrbk hides this complexity from us.

It has some advanced features too. You can configure a backup retention policy, that automatically deletes older backups for example. I’m not using any of it though. I just want everything backup up.

It’s super fast. It’s super easy. A great tool I can only recommend.

Encrypted Backups

We need to encrypt our backups if we want to protect them from unauthorized access. I’m using LUKS, the standard on Linux. It wraps my Btrfs partition and encrypts all data written to it transparently. You can set it up with a password and call it a day.

I went a little further though. Since I’m the proud owner of FIDO hardware security tokens, I can avoid dealing with annoying passwords. I’m using systemd-cryptenroll to unlock the LUKS partition with my FIDO keys.

Enrollment is simple:

sudo systemd-cryptenroll --fido2-device auto /dev/sdXX

To unlock it:

sudo systemd-cryptsetup attach backup /dev/sdXX none fido2-device=auto

I’ve made a little script to find and attach USB devices automatically. I hope that GNOME will detect a FIDO-protected LUKS device in the future and just prompt me for my FIDO key.

Summary

Everybody should perform backups. A software engineer even more so. Using btrbk and systemd-cryptenroll, we can make the process fast, simple and secure.

In the series Modern Digital Identity: