Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
encrypted_backups_to_the_cloud [13.08.2017 12:50] – [gocryptfs installation] Pascal Suter | encrypted_backups_to_the_cloud [15.08.2017 08:01] – [the script] Pascal Suter | ||
---|---|---|---|
Line 30: | Line 30: | ||
I decided to go with gocryptfs in reverse mode and rsync to backup my files to a remote server. As i can put a physical harddrive into the remote backup server to which the VPS will then have exclusive access, i will first run the backup locally from disk to disk and then introduce ssh as a transport tunnel to do remote incrementals in the future. | I decided to go with gocryptfs in reverse mode and rsync to backup my files to a remote server. As i can put a physical harddrive into the remote backup server to which the VPS will then have exclusive access, i will first run the backup locally from disk to disk and then introduce ssh as a transport tunnel to do remote incrementals in the future. | ||
+ | now I use [[backup_with_rubi|rubi]] as a backup tool on my server and it creates a new directory for every backup containing a full backup (it basically does an incremental backup and hardlinks all unchanged files, so every backup directory contains a full backup in the end). Rubi has a file called '' | ||
+ | In order to use this with the --reverse functionality of gocryptfs we need to create a directory that can be initialized with gocryptfs (where the config is stored) that then contains a sub directory to which we will bind-mount the latest backup before doing the rsync of the encrypted gocryptfs mount. with this method all hardlinked files will stay the same in the crypted version and only changed files will be transfered by rsync later on. once the backup is complete we will unmount the bind mount. | ||
===== the setup ===== | ===== the setup ===== | ||
==== Prepare the Target ==== | ==== Prepare the Target ==== | ||
Line 57: | Line 59: | ||
mv gocryptfs.1 / | mv gocryptfs.1 / | ||
gocryptfs --version | gocryptfs --version | ||
+ | ==== setup the mount points ==== | ||
+ | ''/ | ||
+ | mkdir -p / | ||
+ | now we can initialize ''/ | ||
+ | gocryptfs --init --reverse / | ||
+ | enter your desired password when prompted. | ||
+ | |||
+ | now mount the crypted directory: | ||
+ | gocryptfs --reverse / | ||
+ | you will be prompted for your password and it will show you your master key.. NOTE THAT KEY! it will be your only way to access your offsite Backup once your main server is gone! make sure you safe it somewhere where you still have access even when you lost all your data you are backing up here ;) | ||
+ | |||
+ | ==== the script ==== | ||
+ | now this is the script that i will run daily in a cron job. the script assumes that the gfscrypt directory will always be left mounted. this way there is no need to safe the password on the server, instead you will need to manually mount gocryptfs after a reboot of the server. if you forget that, the backup script will inform you by mail the next time it runs that it could not do the backup because the mount was not there. | ||
+ | |||
+ | in case you want to mount the gocryptfs mount automatically and unmount it after each backup you can do that by using the '' | ||
+ | |||
+ | <code bash offsiteBackup.sh> | ||
+ | # | ||
+ | |||
+ | # (c) 2017 Pascal Suter, Version 0.10 Beta | ||
+ | # this script creates an enecrypted offsite backup of a locally kept backup. | ||
+ | # ideally suited to work with rubi (http:// | ||
+ | # for a full description and setup instructions read | ||
+ | # http:// | ||
+ | # uses gocryptfs (https:// | ||
+ | # you may use, modify and re-distribute this script AT YOUR OWN RISK free of charge. | ||
+ | |||
+ | CRYPTED="/ | ||
+ | TARGET="/ | ||
+ | LATEST=$(cat / | ||
+ | PLAINDIR="/ | ||
+ | PLAINMOUNT=" | ||
+ | RECIPIENTS=" | ||
+ | LOCKFILE="/ | ||
+ | RSYNCOPTS="" | ||
+ | # | ||
+ | |||
+ | function fail { | ||
+ | echo " | ||
+ | exit 1 | ||
+ | } | ||
+ | |||
+ | function success { | ||
+ | ( echo "the offsite backup was successfully updated to backup version $LATEST" | ||
+ | echo "here are the last lines of the rsync process:" | ||
+ | tail -n 3 / | ||
+ | umount $PLAINMOUNT 2>/ | ||
+ | exit 0 | ||
+ | } | ||
+ | |||
+ | me=`basename " | ||
+ | |||
+ | # get a lock and run me embedded | ||
+ | if [ " | ||
+ | echo " | ||
+ | flock -E 66 -n ${LOCKFILE} $0 --embedded | tee / | ||
+ | state=$? | ||
+ | if [ $state -eq 66 ]; then | ||
+ | fail "there was another offsiteBackup process still running, so we skipped this round" | ||
+ | fi | ||
+ | exit $state | ||
+ | fi | ||
+ | |||
+ | # make sure our crypted directory is mounted | ||
+ | grep " | ||
+ | if [ $? -gt 0 ]; then | ||
+ | fail " | ||
+ | fi | ||
+ | |||
+ | # unmount any previous bind mounts to $PLAINMOUNT and check it is no longer mounted | ||
+ | umount $PLAINMOUNT 2>/ | ||
+ | grep " | ||
+ | if [ $? -eq 0 ]; then | ||
+ | fail "There seems to be a stale mount on $PLAINMOUNT, | ||
+ | fi | ||
+ | |||
+ | # mount the latest backup: | ||
+ | mount -B " | ||
+ | if [ $? -gt 0 ]; then | ||
+ | fail "there was a problem mounting the latest backup from $LATEST to $PLAIMOUNT" | ||
+ | fi | ||
+ | |||
+ | # rsync to offsite location | ||
+ | rsync -AaHvXx --delete $RSYNCOPTS " | ||
+ | res=$? | ||
+ | if [ $res -gt 0 ]; then | ||
+ | if [ $res -eq 24 ]; then | ||
+ | #some files vanished during the backup, that's not a failure of the backup, so send the success message | ||
+ | success | ||
+ | else | ||
+ | fail "there was a problem with the offsite backup, check / | ||
+ | fi | ||
+ | else | ||
+ | success | ||
+ | fi | ||
+ | </ | ||
+ | === Known Issues === | ||
+ | For some reason gocryptfs seems to generate some files like '' | ||
+ | |||
+ | ===== Restoring Files ===== | ||
+ | to restore files you could use '' | ||
+ | sshfs user@remote.server:/ | ||
+ | and now use gocryptfs to uncrypt the contents and restore some files: | ||
+ | gocryptfs / | ||
+ | now you should see all your files in / | ||
+ | |||
+ | unmount both mounts once you are done. |