Looking for encrypted hard drives for offsite backup rotation
Posted by FU-Lyme-Disease@reddit | sysadmin | View on Reddit | 30 comments
Decision was made to rotate physical drives for monthly offsite backup but now I’ve been tasked with finding hardware encrypted drives in case a drive is lost/stolen.
Anyone have recommendations or experience with iStorage or Apricorn?
Such_Rhubarb8095@reddit
We have had decent experience with Apricorn drives for offsite rotation. Pretty simple and reliable. Honestly though, software encryption on normal drives is usually enough if managed properly. Hardware encrypted drives are more about compliance and peace of mind sometimes.
bruteforcenet@reddit
??
Just encrypt the drive?
Heard of tape which is better suited to this purpose?
pangapingus@reddit
Certain underwriters and whatnot get hard-ons for this sort of stuff even if it doesn't really matter
bruteforcenet@reddit
Yeah… no
pangapingus@reddit
Real life > tech details, wot lol
bruteforcenet@reddit
Yeah it’s not real life that underwriters or auditors expect you to be rotating mechanical hard drives with onboard encryption in 2026. Thats in your head.
Direct-Fee4474@reddit
yeah, i've sat with auditors for compliance signoff on all sorts of bigscarythings, and no one has ever required anything other than "data is encrypted at rest." there's all sorts of stuff upstream of that to ensure controls and whatnot, but so long as the bits on the drive are encrypted, everyone's happy. no clue what that dude's on about.
pangapingus@reddit
Who hurt you? Aggro on approach lol take it out on the end users, you know peoples' lived experiences are... different right?
bruteforcenet@reddit
Who’s agro? You seem agro patronising me because you’re wrong and got offended? Consider the fact that you are misinterpreting the requirements of you think this is a real scenario.
In the mean time I suggest you take your bs stories and patronising behaviour somewhere else 👍
Ssakaa@reddit
Only time I've had it come up was juggling data between OSes... true hardware encrypted (Apricorn IIRC) was just a ton easier to provably show "the user can't deviate from policy" and handling encryption between offline linux and windows boxes that met requirements.
enterprisedatalead@reddit
We went through something similar last year when we were trying to clean up ticketing and alert workflows across multiple systems. The biggest issue honestly wasn’t setup, it was keeping ticket ownership, notifications, and asset data consistent once automations started piling up.
We actually ended up removing a bunch of “smart” automations because techs stopped trusting the sync after duplicate tickets and missed status updates started happening. After simplifying the workflows, things became way more stable and response times improved noticeably.
Feels like reliability and clean workflows matter more than having the biggest feature list with these platforms.
Are you mainly trying to improve technician workflow or reduce manual ticket handling?
Sroni4967@reddit
ironkey vaults have been solid for our offsite rotation setup
PinkertonFld@reddit
I've used Apricorn's thumb drive, they work well...
All of the big players (Seagate, WD and their brands) have hardware encryption drives available...
Ferretau@reddit
One place I was at used NAS's with encryption on the drives enabled then the backup itself was also encrypted. Depending on that amount of data and how concerned you are about loss of the one backup it may be an option to consider.
iceph03nix@reddit
Every backup service I've used has backup encryption built in
We use Samsung T7s
TyberWhite@reddit
For compliance purposes, T7’s are not enterprise-grade self-encrypting drives.
TyberWhite@reddit
iStorage diskAshur or Kingston Ironkey if you have to use a self encrypting drive.
orev@reddit
Many hardware encrypted drives have been found to have serious flaws where the encryption isn't actually secure, and with hardware you're tying yourself to one vendor and hoping that they didn't go with the cheapest chip that's prone to failure.
With software-based encryption, it's far more likely to be auditable and at least you have multiple choices. TrueCrypt, LUKS, etc. are all better options.
Also make sure you have a plan for key management, since you can't store those with the backups.
KandevDev@reddit
apricorn aegis padlock has been fine for us, ~3 years of monthly rotation, no failures. the keypad-on-the-drive thing feels gimmicky but it actually solves the "what laptop driver is the encryption tied to" problem nicely, you can plug it into anything and the encryption travels with the drive. istorage is the closer competitor, comparable build quality, slightly worse warranty terms in our case.
the warning i would give: hardware encryption sounds simpler than software but you are betting on the vendor not getting acquired or sunset. we had a brief panic when one of our older istorage models lost firmware updates. for monthly rotation specifically, plain disks + LUKS / bitlocker on a known mount workflow is also a totally valid path, more setup but no vendor lock-in.
FU-Lyme-Disease@reddit (OP)
Sincere thank you for the long thought out reply!
KandevDev@reddit
no worries, hope it lands well. if you do end up going apricorn, ping me after a year and tell me whether you hit the firmware drift thing or not. that is the one variable i would not bet on long term.
Darkk_Knight@reddit
I've use encryption that is built-in the backup software. It makes it very portable from one drive to the next. ZFS got encryption capability.
Honestly I'd stick with using the back up tool for it otherwise when there is a time that you really need that backup restored you'll be thankful that you did.
FU-Lyme-Disease@reddit (OP)
Sincere thank you for the long thought out reply!
pangapingus@reddit
Apricorn was fairly solid up through 2021 when my time in the SMB market ended, never had an issue. Should always encrypt the data on disk as well obv, but Apricot is simple enough for office managers/etc. to handle if you defer rotation to on-prem staff (i.e. as a MSP we'd defer to the office manager to take one drive to the bank/etc. every day/week swapping them out in place and monitor for any next-day failures on swaps to remind them and whatnot)
FU-Lyme-Disease@reddit (OP)
Sincere thank you for the long thought out reply!
FarmboyJustice@reddit
Why do we think that disk hardware encryption is somehow safer with a stolen drive than encrypting the data before writing to the disk?
serialband@reddit
Just turn on Bitlocker (to Go) for Windows or LUKS for Linux and encrypt your external disk.
Sparkycivic@reddit
Isn't that offered as a firmware feature these days??
Nonaveragemonkey@reddit
Ive used Capricorn. Expensive as gold plated souls, but good and solid.
Ghost5k1@reddit
Why not just encrypt the backup?