scrub
shred
srm <-works on Mac
wipe

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/filesysnew-efs.html

Create and mount:

yum install ecryptfs-utils-gui
dd if=/dev/zero of=ecrypttest bs=1M count=100
mkfs.ext3 ecrypttest 
mount -o loop ecrypttest /mnt/crypt/
mount -t ecryptfs /mnt/crypt/ /mnt/crypt/
df -h

remove:

umount /mnt/crypt/
umount /mnt/crypt/ (do this two times)
shred ecrypttest -u -z

clipper backup drive:

[root@clipper ~]# mount -t ecryptfs /backup /backup -o ecryptfs_unlink_sigs,ecryptfs_fnek_sig=4295f161eb1fa6b7,ecryptfs_key_bytes=24,ecryptfs_cipher=aes,ecryptfs_sig=4295f161eb1fa6b7
Select key type to use for newly created files: 
 1) passphrase
 2) openssl
 3) tspi
Selection: 1
Passphrase: NEUcfdITAR
Enable plaintext passthrough (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=4295f161eb1fa6b7
  ecryptfs_key_bytes=24
  ecryptfs_cipher=aes
  ecryptfs_sig=4295f161eb1fa6b7
Mounted eCryptfs

http://www.howtoforge.com/encrypt-your-data-with-encfs-debian-squeeze-ubuntu-11.10

http://www.howtoforge.com/encrypt-your-data-with-encfs-ubuntu-13.04

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption-Manually_Encrypting_Directories-Step_by_Step_Instructions.html

http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions

http://www.linuxuser.co.uk/reviews/the-best-file-encryption-software-in-open-source/

http://www.howtoforge.com/encrypt-your-data-with-encfs-ubuntu-13.04

To create a 100M encrypted container:

dd if=/dev/urandom of=crypttest bs=1M count=100
man losetup
losetup -a
losetup /dev/loop0 crypttest 
cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0 
mkdir -p /mnt/crypt

To mount the device and format it:

cryptsetup luksOpen /dev/loop0 crypttest_1
ls -l /dev/mapper/
mkfs.ext3 /dev/mapper/crypttest_1 
mount /dev/mapper/crypttest_1 /mnt/crypt/
df -h |grep cry

To show the key for the mounted device:

dmsetup table --target crypt --showkey /dev/mapper/crypttest_1

To remove the device

umount /mnt/crypt/
cryptsetup status /dev/mapper/crypttest_1
cryptsetup remove /dev/mapper/crypttest_1

To quickly remove the key:

head -c 1052672 /dev/zero > /dev/loop0; sync

To remove the device file:

losetup -d /dev/loop0
rm crypttest

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html

# parted /dev/sdb ??
# shred -v --iterations=1 /dev/sdb1 
# cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1
# mkdir /backup
# cryptsetup luksOpen /dev/sdb1 backup
# ls -l /dev/mapper/
# mkfs.xfs /dev/mapper/backup 
# mount /dev/mapper/backup /backup/
# df -h /backup/
# vim /etc/crypttab 

backup /dev/sdb1 /root/keyfile-backup luks

# vim /etc/fstab 
# restorecon -v -R /backup/
# dd if=/dev/urandom of=keyfile-backup bs=1024 bs=1024 count=4
# chmod 0400 keyfile-backup 
# cryptsetup luksAddKey /dev/sdb1 /root/keyfile-backup 
# vim /etc/fstab 

/dev/mapper/backup /backup xfs defaults 0 2

# mount
# mount -a
# reboot
# ls /backup

Do not automount add noauto to /etc/fstab and /etc/cryptab:

/etc/fstab

/dev/mapper/backup /backup xfs defaults,noauto 0 0

/etc/crypttab

backup /dev/sdb1 /root/keyfile-backup luks,noauto

then to manually mount and unmount

cryptsetup luksOpen /dev/sdb1 backup
mount /backup
cryptsetup status backup
umount /backup
cryptsetup close backup

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Encryption-Using_GPG.html

To create an encrypted compressed tar archive with GnuPG:

$ tar czvpf – doc.pdf doc2.pdf doc3.pdf | gpg --symmetric --cipher-algo aes256 -o secure.tar.gz.gpg

To uncompress an archive file encrypted with GnuPG:

$ gpg -d secure.tar.gz.gpg | tar xzvf -

http://www.howtoforge.com/encrypt-your-data-with-encfs-ubuntu-13.04

#!/bin/bash
#echo local backup skipped
#exit
# This file should be located on the backup volume and therfore indicates to cron that the backup disk is mounted.
#
# Do Not Delete or move from /backup !
#
date
#
# Crontab command: @daily /backup/local.sh
#

namedate=$(date +\%Y-\%m-\%d-%H%M)

# Remove folders older than 10 days if the if conditions are met
# Development code
#if [ `date |cut -d ' ' -f 3` != 1 -a -e /backup/local ] 
#  then find /backup/local/ -maxdepth 1 -mindepth 1 -type d -mtime +10 -ls -exec echo rm -rf {} \;
#fi

# grab the newest backup set to link against
#prev_backup=$( ls -1dtr /backup/local/incremental_backup/* 2> /dev/null || echo no directories found...continuing.  1>&2 |tail -1 )
prev_backup=$( ls -1dtr /backup/local/incremental_backup/* |tail -1 )

# { echo "command failed, but that's okay. Continuing..."; echo exit 1; }
echo $prev_backup

# use directory if it exists, otherwise, just leave the variable blank so rsync does not get the option.
if [[ -d $prev_backup ]]
  then
    echo the prior backup exists.  Setting location variable.
    link_dest=--link-dest=$prev_backup
    echo $link_dest
  else
    echo the prior backup does not exist.  Unseting variable.
    unset link_dest
fi

echo $link_dest

if [ -e /backup/local ]
  then
    touch /backup/local/incremental_backup/_data_local.incomplete/ 2> /dev/null || echo no previous incomplete directory found...continuing.
    if [ $( id -u ) -ne 0 ]
      then
        # User Backup the local home directory
	echo sorry, must be root.
      else
        echo backup with root privleges
        # These require root
        # Backup /etc
        rsync -v --archive --one-file-system --hard-links \
          --human-readable --inplace --numeric-ids --delete \
          --delete-excluded --exclude-from=/backup/excludes.txt \
          $link_dest \
          /etc /backup/local/incremental_backup/_data_local.incomplete
        # Backup /l
        rsync -v --exclude=.Trash* --archive --one-file-system --hard-links \
          --human-readable --inplace --numeric-ids --delete \
          --delete-excluded --exclude-from=/backup/excludes.txt \
          $link_dest \
          /l /backup/local/incremental_backup/_data_local.incomplete
    fi
  else echo Backup drive not mounted for rsync.
fi

error_status=$?

if [ $error_status = "0" ]
  then
    if [ -e /backup/local ]
      then
        if [ -e /backup/local/incremental_backup/_data_local.incomplete ]
          then
            mv /backup/local/incremental_backup/_data_local.incomplete /backup/local/incremental_backup/data_$namedate
            echo moved completed _data_local.incomplete backup to /backup/local/incremental_backup/data_$namedate
            touch /backup/local/incremental_backup/data_$namedate
          else
            echo Intermediate Backup Directory does not exist.
        fi
      else
        echo Backup drive not mounted.
    fi
  else
    echo rsync had errors.
fi
date

#!/bin/bash
#remove old backup sets
date

num_to_keep=30
dir_location="/backup/local/incremental_backup/"
num=$(( $( ls -1 $dir_location | wc -l ) - $num_to_keep ))
if [ 0 -gt $num ]
  then
    num=0
fi
echo found $num old backup sets
if [ $num  -gt 3 ]
  then
    echo limiting delete to oldest 3
    num=3
fi
found=$( find $dir_location -mindepth 1 -maxdepth 1 -type d | sort| head -$num )
if [ -z "$found" ]; then
  foundcnt=0
else
  foundcnt=$( echo "$found" | wc -l )
fi
echo removing these oldest $foundcnt backup sets:
echo "$found"
if [ $foundcnt -gt 0 ]
  then
     rm -rf $( echo -n $found )
fi

date

Setup drive (assumed commands)

Create a partition on the external drive fdisk:

fdisk /dev/sdx

or parted:

Linux Create 3TB partition size

To create a partition start GNU parted as follows:

# parted /dev/sdb

Output:

GNU Parted 2.3
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted)
Creates a new GPT disklabel i.e. partition table:

(parted) mklabel gpt
Sample outputs:

Warning: The existing disk label on /dev/sdb will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? yes
(parted)
Next, set the default unit to TB, enter:

(parted) unit TB
To create a 3TB partition size, enter:

(parted) mkpart primary 0 0
OR

(parted) mkpart primary 0.00TB 3.00TB
To print the current partitions, enter:

(parted) print
Sample outputs:

Model: ATA ST33000651AS (scsi)
Disk /dev/sdb: 3.00TB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number  Start   End     Size    File system  Name     Flags
 1      0.00TB  3.00TB  3.00TB  ext4         primary
Quit and save the changes, enter:

(parted) quit
Sample outputs:

Information: You may need to update /etc/fstab.

obfuscate empty parts of the drive

shred -v --iterations=1 /dev/sdx1
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdx1

~/mountbackupluks

#!/bin/bash
# NEUcfdITAR

cryptsetup luksOpen /dev/sdb1 encryptexternal
mount /dev/mapper/encryptexternal /backup/

mkfs.xfs /dev/mapper/encryptexternal

umount /backup
cryptsetup remove /dev/mapper/encryptexternal

fstab automount

Create password file

dd if=/dev/urandom of=/root/ecryptexternalpassword bs=1024 count=4
chmod 0400 /root/encryptexternalpassword 
cryptsetup luksAddKey /dev/sdb1 /root/encryptexternalpassword

blkid

Add to /etc/crypttab

encryptexternal UUID="0e6a3959-3da4-4112-b669-9c2d282380a6" /root/encryptexternalpassword luks

add to /etc/fstab

#LUKS encrypted external drive
/dev/mapper/encryptexternal /backup xfs defaults 0 2