I like to have my backup's as encrypted just in case the backup server is compromised. In this guide, I'll make a Raspberry Pi (3) backup to Windows (7) shared folder. The backup will use rsync so it will be a file level backup. I haven't found any tools that make backup using a real file system level snapshots for Raspberry Pi. They would be the best, because the backup is then consistent.
This backup script is for daily 7-day rolling backup. With rsnapshot it's easy to add hourly, monthly and yearly backups to your script.
First make yourself superuser
sudo su
Connect to CIFS network drive
Add your network drive to /etc/fstab:
vi /etc/fstab
and add row:
//BackupComputer/Backup /mnt/BackupEncrypted cifs username=your_name,password=your_password 0 0
Of course change the name of your backup computer mount (//BackupComputer/Backup), username(your_username) and password (your_password).
Mount the new share
mkdir /mnt/BackupEncrypted
mount /mnt/BackupEncrypted
Create image file in mounted share. Size of my SD card is 32Gb, so I have in my count parameter 33. the size of the created file is bs*count. Just make sure the size is bigger than one full backup AND all incremental backups you want to save.
dd if=/dev/zero bs=1M count=33000 of=/mnt/BackupEncrypted/Backup.img
This took about 2 hours for my 32Gb SD.
You can check from Windows side that file exists.
Create encrypted disk with dm-crypt and LUKS
Create encrypted disk
apt-get install cryptsetup
cryptsetup luksFormat /mnt/BackupEncrypted/Backup.img
Create a new password for your backup
Create key file for passwordless decryption
apt-get install hashalot
hashalot -n 32 ripemd160 > /etc/backup.enryption.key
Give password as passphrase
Check the key slots of encrypted disk
cryptsetup luksDump /mnt/BackupEncrypted/Backup.img
In the result should read:
Key Slot 0: ENABLED
Key Slot 1: DISABLED
Key slot 1 should be free
Add key file to encrypted disk
cryptsetup luksAddKey --key-slot 1 /mnt/BackupEncrypted/Backup.img /etc/backup.enryption.key
Give the password to authenticate
Check that new key file is in place in slot 1
cryptsetup luksDump /mnt/BackupEncrypted/Backup.img
In the result now should read:
Key Slot 0: ENABLED
Key Slot 1: ENABLED
Key slot 1 is now used
Now open the encrypted volume with key file
cryptsetup luksOpen -d /etc/backup.enryption.key /mnt/BackupEncrypted/Backup.img Backup
-- Make a new file system in encrypted volume
mkfs.ext4 -j /dev/mapper/Backup
Mount new disk
mkdir /mnt/Backup
mount /dev/mapper/Backup /mnt/Backup
Install and configure Rsnapshot
Install Rsnapshot
apt-get install rsnapshot
Make root directory for your backup
mkdir /mnt/Backup/rsnapshot
Configure Rsnapshot
vi /etc/rsnapshot.conf
#################################################The file should not contain spaces as a separator. Change the spaces to tabs.
# rsnapshot.conf - rsnapshot configuration file #
#################################################
# #
# PLEASE BE AWARE OF THE FOLLOWING RULES: #
# #
# This file requires tabs between elements #
# #
# Directories require a trailing slash: #
# right: /home/ #
# wrong: /home #
# #
#################################################
#######################
# CONFIG FILE VERSION #
#######################
config_version 1.2
###########################
# SNAPSHOT ROOT DIRECTORY #
###########################
# All snapshots will be stored under this root directory.
snapshot_root /mnt/Backup/rsnapshot/
# If no_create_root is enabled, rsnapshot will not automatically create the
# snapshot_root directory. This is particularly useful if you are backing
# up to removable media, such as a FireWire or USB drive.
no_create_root 1
cmd_cp /bin/cp
cmd_rm /bin/rm
cmd_rsync /usr/bin/rsync
cmd_ssh /usr/bin/ssh
cmd_logger /usr/bin/logger
cmd_du /usr/bin/du
#interval hourly 6
interval daily 7
#interval weekly 4
#interval monthly 12
#interval yearly 2
verbose 2
loglevel 3
logfile /var/log/rsnapshot.log
lockfile /var/run/rsnapshot.pid
ssh_args -o BatchMode=yes
backup / . exclude_file=/etc/rsnapshot.exclude.conf
Configure the exclude file that contains information which files and directories are excluded from backup.
vi /etc/rsnapshot.exclude.conf
- /lost+found
- /media/*
- /cdrom/*
- /proc/*
- /mnt/*
- /run/*
- /tmp/*
- /sys/*
- /dev/*
First test that everything is fine with Rsnapshot. If your conf-file has errors (the spaces!), it will show errors now.
rsnapshot -t daily
When everything seems to be fine, we can make first run of rsnapshot:
rsnapshot daily
This may take 1 hour to run. Depends on how much data you have on your card.
Then close everything
umount /mnt/Backup
cryptsetup luksClose Backup
umount /mnt/BackupEncrypted
Create automatic daily backups with cron
Create backup script
vi /usr/local/sbin/BackupScript.sh
Make script executable
#!/bin/sh
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH
# Mount remote directory
mount /mnt/BackupEncrypted
# Open encrypted volume
cryptsetup luksOpen -d /etc/backup.enryption.key /mnt/BackupEncrypted/Backup.img Backup
# Mount encrypted volume
mount /dev/mapper/Backup /mnt/Backup
# Backup
rsnapshot daily
# Unmount encrypted volume
umount /mnt/Backup
# Close encrypted volume
cryptsetup luksClose Backup
# Unmount remote directory
umount /mnt/BackupEncrypted
chmod 744 /usr/local/sbin/BackupScript.sh
We are nearly finished!
Just add backup script to crontab:
crontab -e
and add line:
00 04 * * * /usr/local/sbin/BackupScript.sh > /var/log/BackupScript.log
This will execute the script every night at 04:00.
Next day check that everything went ok.
Comments
Post a Comment