Backup Thoughts

- 6 minutes read - 1104 words

This started as a little document to get down my thoughts, but I figured I’d Markdownize it and make it into a blog post, where it can be not only a reference for me, but also for everyone else!

I like to think I have a pretty decent backup system in place. I have a 2Tb USB-C HDD that hangs out in my office and effectively mirrors my laptop. I also have a lot of older material on it; my previous laptop, as well as my desktop from years past, makes up a stratum or two on there. And I try to remember to do a full backup once a month or so, but I don’t always remember, which is not great. I like to know my files are safe, just in case my laptop blows up or something. Putting /home on its own partition is always a good practice, so then / (your system files, the OS, &c.) can be wiped and reinstalled without touching your important files. But that’s not enough, and that’s where backups come into play.

Backing up to a physical hard drive is great. I am looking into getting a safe to put important files into, and probably also that HDD, because why not? But why not add another level of redundancy and have another mirror of your files? If you are wanting a second mirror, or maybe want to do something other than a physical HDD, then hopefully this post will be helpful. I originally planned on setting up a cloud backup service, but that did not end well. I ended up just increasing the space on this VPS to allow for backups.

This tutorial is heavily based on, and builds upon, this tutorial, which is a great starting point. However, at least in my use case, I found that there are some corrigenda within though. I would recommend reading this alongside the linked tutorial, since it includes some fixes, and I will try not to duplicate that tutorial too much as a result.

This post assumes that you have access to either a remote server (VPS, virtual private server, vel sim.), or you can do this on a Raspberry Pi or something if you want. I’m also assuming you’re running some flavor of Linux on your host system; if you have Windows, then your backup solution is going to look different. Unless, of course, you are using Cygwin or something similar, then cool. We are also assuming you have the rsync (“remote sync”) program installed.

here is the rough process:

  • create a “backup” user on the remote system; this user will only be used for backup purposes
  • make sure the created user has access to ssh and sftp (on my VPS running YunoHost, I had to add the user to sftp.app and ssh.app groups)
  • 100% use public key authentication! What does this mean?
    • Public key authentication means you don’t use a password to log into the server, but rather an encrypted keyfile, which can (and should) have a password.
    • The tutorial linked above will tell you how to do this; here is another helpful tutorial on setting up public key authentication.
  • make sure the cryptsetup program is installed on your system, and fuse as well; doing apt install cryptsetup seemed to do the trick on Debian Linux at least

Once you’ve set up public key authentication for your “backup” user, and have confirmed that you can log in with this user, then we’ll set up the encrypted backup itself.

  • Create the mountpoints (i.e., create the following directories)
    • /mnt/backup-host (for the container file)
    • /mnt/remote-backup (for the encrypted partition we’ll create)
  • Now mount the remote file system over sshfs: sudo sshfs -o allow_other -o "IdentityFile=\<your keyfile\>" \<backup user\>@\<serverIP\>:\<backup user's homedir\> /mnt/backup-host/
    • I use a different port for SSH, so take that into account too and pass -p<port#> if needed
    • You can also create a directory off of the homedir and mount that instead for a place for your backup to live; whatever you prefer.
  • Create the encrypted backup file: truncate -s \<limit\> /mnt/backup-host/backups-system-a.luks
    • The <limit> can be expressed in megabytes (M), gigabytes (G), or even terabytes (T), but must take an integer. I wanted to do 1.5 terabytes, but had to express it in Gb, and used 1500G for 1500Gb.

That step will take a little while. Once that’s done:

  • Create your keyfile: sudo dd if=/dev/random of=/root/.keyfiles/backupstore.key bs=4096 count=1
    • This file will be the private key that will let you open the encrypted backup. Just think, 4096 bytes of random data (pulled from /dev/random, of course).
    • make sure the directory /root/.keyfiles exists; if it doesn’t, dd will fail
    • make sure you back up this keyfile somewhere else; otherwise your backups will be unreadable and useless
  • Chmod the keyfile to 600: sudo chmod 600 /root/.keyfiles/backupstore.key
  • Create an encrypted partition inside the LUKS backup file: sudo cryptsetup luksFormat /mnt/backup-host/backups-system-a.luks --key-file /root/.keyfiles/backupstore.key

Once the encrypted “container” file is created, we’ll create a partition within it:

  • Open the encrypted backup: sudo cryptsetup open --type luks /mnt/backup-host/backups-system-a.luks --key-file /root/.keyfiles/backupstore.key backup-partition
  • Create the partition: sudo mkfs.ext4 -m0 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/backup-partition
    • This will also take some time…
  • Mount the partition: sudo mount /dev/mapper/backup-partition /mnt/remote-backup

Now your encrypted partition will be mounted at /mnt/remote-backup, and you can rsync to it all you want! Look at the linked tutorial above for suggestions on calling rsync. Throw files at the encrypted backup to your heart’s content; it will function like just another folder on your computer, but in fact we’re talking to a remote computer over sshfs.

When you’re done chucking files at the encrypted backup:

  • Unmount the backup partition: sudo umount /mnt/remote-backup
  • Close out the encrypted file: sudo cryptsetup close /dev/mapper/backup-partition
  • Close out the connection over sshfs: sudo fusermount -u /mnt/backup-host

In future, to mount everything:

  • Connect via sshfs: sudo sshfs -o allow_other -o "IdentityFile=\<your keyfile\>" \<backupuser\>@\<serverIP\>:\<backup user's homedir\> /mnt/backup-host/
  • Open the encrypted file: sudo cryptsetup open --type luks /mnt/backup-host/backups-system-a.luks --key-file /root/.keyfiles/backupstore.key backup-partition
  • Mount the backup partition: sudo mount /dev/mapper/backup-partition /mnt/remote-backup

Just use the unmount sequence of commands to close it out.

I just set up shell scripts (.sh files) automating the mount/unmount process, so it should be pretty easy to just chuck those into a file and run as needed.

I’m really pleased with this setup, especially since I can do encrypted backups with nothing but standard shell commands and rsync. I hope this is useful for you as well. I know it may be a little niche, but if you have a Linux setup at home and a Linux server to play around with, it’s well worth trying it out. Thank you for reading, friends <3