Proper Paranoia: Basic Resilience Against Catastrophes

I wanted to have a system that even if everything I own is turned to ash, still allows me to get my whole business back with minimal effort.

This is the process I've been following since I've started freelancing:

• Come up with a disaster scenario
• Implement a strategy to prevent, mitigate, and/or recover from damage if it happens
• Repeat

That's it. Just an ongoing process of improvement.

This is too abstract, please elaborate

Here's how that process looked for me:

I have a lot of code on my machine. Years of work. If my hard drive gives out, all of that is lost. One of the strategies here is to have a copy of the code stored online, on GitHub. It also opens up other things like CI/CD and collaboration, but that's besides the point.

That's not the only valuable data I have on my machine. Legal documents, accounting data, emails. Other work, such as graphics and 3D models. Really, a whole lot of stuff I'd rather not lose. So, additional backups are needed: Once a week I copy all my data to an external SSD. With NixOS there's only two places I have to backup to later be able to get the whole system back: My home directory and my storage partition (if you want to make it easy on yourself, you could also backup /etc/nixos, but I have that one in a repo). If my machine is fried, I still have the backup to recover from.

But, what if it gets stolen? Then I can still recover my data, but.. so would whoever stole my computer. Not great, so let's encrypt everything, both my system and backups. It's practically free anyways with linux, takes no time to setup.

But.. if my plate is gone and my password manager database file is on there, I won't be able to decrypt my backup, now will I. I won't have the password. So.. I need a password that's strong, but I also want to be able to remember it. And I don't want to reuse the one I use for my computer (don't reuse passwords, kids.)

A good password is a password that's really expensive to guess. Preferably so hard to guess that it's mathematically improbable to ever be guessed even if all compute on the planet is thrown at the problem. Fortunately, that's pretty easy as well: Using a password manager, you can generate a list of seven random words, which are both easy to remember, and gets you a bit more than 90 bits of entropy. What does "90 bits of entropy" mean? Feel free to ask your favorite LLM how long it'll take to guess that password.

No numbers or special characters by the way. Takes a bit to type out though.

Anyways.

What if my apartment burns down? Then both my computer and my backup is gone. That means.. I need to have off-site backups.

Alright, fine, we're going online.

I'm not a big fan of pushing any of my data online, but with the power of Encryption and Basic Memorization Skills, no force known to man can stop me from getting a good backup system going.

So, what's it you're doing now, then?

I'll skip the rest, lest it turns into a whole lecture. But by now you should get the idea: Continuously improve your exception handling.

Here's the process I have now, in all its glory:

• My workstation is a NixOS setup. The system itself is encrypted with LUKS, in a detached header configuration that has the LUKS header and boot partition on a USB stick on my keychain. You can't decrypt or boot the machine without both my USB stick and the password (#1). Here's a link to a great guide I found online.
• All my data is found on my workstation in my home folder and my storage partition, and gets backed up once a week to an external encrypted SSD (password #2).
• After that backup process, the backups are written into an encrypted tar ball and uploaded to a Proton Drive folder that's accessible via a URL and password (#3).
• In addition, my backup drive includes an encrypted folder (password #4) that contains all the 2FA keys and recovery codes I could possibly need to get access to my data. Those are decrypted, updated, encrypted and uploaded only when they change.
• I also use a password manager (KeePassXC) as mentioned above, and that password file is found on the storage partition. It's password protected, of course (password #5).
• To make sure that I actually can use that backup to restore everything, one of my domains has a subdomain with a TXT record which includes the link to the shared Proton Drive folder as well as the command needed to decrypt the whole thing.

All passwords mentioned are seven word "sentences", and aren't re-used. It's just 35 words in total (plus the subdomain I have to remember, technically.)

What's the result? Well, theoretically everything I own could be turned to ash, and as long as I eventually get my hands on a laptop, I'll still be able to restore my whole business in an hour or two. Pretty nifty.