Backing up Raspberry Pi3 to encrypted network drive


I like to have my backup's as encrypted just in case the backup server is compromised. In this guide, I'll make a Raspberry Pi (3) backup to Windows (7) shared folder. The backup will use rsync so it will be a file level backup. I haven't found any tools that make backup using a real file system level snapshots for Raspberry Pi. They would be the best, because the backup is then consistent.

This backup script is for daily 7-day rolling backup. With rsnapshot it's easy to add hourly, monthly and yearly backups to your script.

First make yourself superuser
sudo su

Connect to CIFS network drive


Add your network drive to /etc/fstab:

vi /etc/fstab
and add row:
//BackupComputer/Backup /mnt/BackupEncrypted cifs username=your_name,password=your_password 0 0

Of course change the name of your backup computer mount (//BackupComputer/Backup), username(your_username) and password (your_password).

Mount the new share
mkdir /mnt/BackupEncrypted
mount /mnt/BackupEncrypted

Create image file in mounted share. Size of my SD card is 32Gb, so I have in my count parameter 33. the size of the created file is bs*count. Just make sure the size is bigger than one full backup AND all incremental backups you want to save.
dd if=/dev/zero bs=1M count=33000 of=/mnt/BackupEncrypted/Backup.img 
This took about 2 hours for my 32Gb SD.
You can check from Windows side that file exists.

Create encrypted disk with dm-crypt and LUKS


Create encrypted disk
apt-get install cryptsetup
cryptsetup luksFormat /mnt/BackupEncrypted/Backup.img
Create a new password for your backup

Create key file for passwordless decryption
apt-get install hashalot
hashalot -n 32 ripemd160 > /etc/backup.enryption.key
Give password as passphrase

Check the key slots of encrypted disk
cryptsetup luksDump /mnt/BackupEncrypted/Backup.img
In the result should read:
Key Slot 0: ENABLED
Key Slot 1: DISABLED

Key slot 1 should be free

Add key file to encrypted disk
cryptsetup luksAddKey --key-slot 1 /mnt/BackupEncrypted/Backup.img /etc/backup.enryption.key
Give the password to authenticate

Check that new key file is in place in slot 1 
cryptsetup luksDump /mnt/BackupEncrypted/Backup.img
In the result now should read:
Key Slot 0: ENABLED
Key Slot 1: ENABLED

Key slot 1 is now used

Now open the encrypted volume with key file
cryptsetup luksOpen -d /etc/backup.enryption.key /mnt/BackupEncrypted/Backup.img Backup

-- Make a new file system in encrypted volume
mkfs.ext4 -j /dev/mapper/Backup

Mount new disk
mkdir /mnt/Backup
mount /dev/mapper/Backup /mnt/Backup


Install and configure Rsnapshot


Install Rsnapshot
apt-get install rsnapshot
Make root directory for your backup
mkdir /mnt/Backup/rsnapshot

Configure Rsnapshot
vi /etc/rsnapshot.conf
#################################################
# rsnapshot.conf - rsnapshot configuration file #
#################################################
# #
# PLEASE BE AWARE OF THE FOLLOWING RULES: #
# #
# This file requires tabs between elements #
# #
# Directories require a trailing slash: #
# right: /home/ #
# wrong: /home #
# #
#################################################

#######################
# CONFIG FILE VERSION #
#######################

config_version  1.2
###########################
# SNAPSHOT ROOT DIRECTORY #
###########################

# All snapshots will be stored under this root directory.
snapshot_root   /mnt/Backup/rsnapshot/
# If no_create_root is enabled, rsnapshot will not automatically create the
# snapshot_root directory. This is particularly useful if you are backing
# up to removable media, such as a FireWire or USB drive.
no_create_root  1
cmd_cp  /bin/cp
cmd_rm  /bin/rm
cmd_rsync       /usr/bin/rsync
cmd_ssh /usr/bin/ssh
cmd_logger      /usr/bin/logger
cmd_du  /usr/bin/du
#interval hourly 6
interval        daily   7
#interval weekly 4
#interval monthly 12
#interval yearly 2
verbose 2
loglevel        3
logfile /var/log/rsnapshot.log
lockfile        /var/run/rsnapshot.pid
ssh_args        -o BatchMode=yes
backup  /       .       exclude_file=/etc/rsnapshot.exclude.conf
The file should not contain spaces as a separator. Change the spaces to tabs.

Configure the exclude file that contains information which files and directories are excluded from backup.
vi /etc/rsnapshot.exclude.conf

- /lost+found
- /media/*
- /cdrom/*
- /proc/*
- /mnt/*
- /run/*
- /tmp/*
- /sys/*
- /dev/*

First test that everything is fine with Rsnapshot. If your conf-file has errors (the spaces!), it will show errors now.
rsnapshot -t daily

When everything seems to be fine, we can make first run of rsnapshot:
rsnapshot daily

This may take 1 hour to run. Depends on how much data you have on your card.

Then close everything
umount /mnt/Backup
cryptsetup luksClose Backup
umount /mnt/BackupEncrypted

Create automatic daily backups with cron


Create backup script
vi /usr/local/sbin/BackupScript.sh

#!/bin/sh

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH

# Mount remote directory
mount /mnt/BackupEncrypted

# Open encrypted volume
cryptsetup luksOpen -d /etc/backup.enryption.key /mnt/BackupEncrypted/Backup.img Backup

# Mount encrypted volume
mount /dev/mapper/Backup /mnt/Backup

# Backup
rsnapshot daily

# Unmount encrypted volume
umount /mnt/Backup

# Close encrypted volume
cryptsetup luksClose Backup

# Unmount remote directory
umount /mnt/BackupEncrypted
Make script executable
chmod 744 /usr/local/sbin/BackupScript.sh

We are nearly finished!
Just add backup script to crontab:
crontab -e
and add line:
00 04 * * * /usr/local/sbin/BackupScript.sh > /var/log/BackupScript.log


This will execute the script every night at 04:00.
Next day check that everything went ok.


Comments