Usability tips: Backup and snapshots

TOC

Backup and snapshot

For backup, data needs to be moved to physically separate device. rsync ... is my choice to do this.

For snapshot, data can stay on the same device . btrfs subvolume snapshot ... is my choice to do this.

I created bss script to help me do these easily and its examples contain key parts of the settings. Here are the basic tricks used in them..

Secure backup

In order to securely backup private data using non-secure remote storage, data needs to be encrypted. Roughly, the following is an approach:

• create a disk image containing an encrypted filesystem
• mount the disk image un-encrypted for ease of use
  • use bind mount to offer ~/.gnupg etc.
• backup the disk image file or directory tree containing the disk image (rsync, rclone, GUI google drive)

This can be done using following tricks.

• Making the empty disk image file
• Removable disk encryption with dm-crypt/LUKS
• Mounting encrypted disk with dm-crypt/LUKS
• Expansion of usable storage space by bind-mounting another directory
• Filesystem creation and integrity check (This is Ext4, do the same for Btrfs)

Create and format an encrypted filesystem in a disk image

$ dd bs=1 count=0 if=/dev/zero of=disk.img seek=7000M
$ mkdir disk
$ cryptsetup luksFormat disk.img
WARNING: ...
 ...
$ sudo cryptsetup open disk.img disk --type luks
Enter passphrase for disk.img: *****
$ ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 Nov  3 07:45 control
lrwxrwxrwx 1 root root       7 Nov  3 12:04 disk -> ../dm-0
$ sudo mkfs.btrfs /dev/mapper/disk
 ...
   ID        SIZE  PATH
    1     6.82GiB  /dev/mapper/disk

$ sudo mount /dev/mapper/disk /mnt
$ sudo chown 1000:1000 /mnt
$ sudo umount /mnt
$ cryptsetup close disk

Mount and use an encrypted filesystem in a disk image

$ mkdir -p ~/path/to/mnt
$ sudo cryptsetup open disk.img disk --type luks
Enter passphrase for disk.img: *****
$ sudo mount /dev/mapper/disk ~/path/to/mnt
... (use files in ~/path/to/mnt as a user)
$ sudo umount /dev/mapper/disk
$ sudo cryptsetup close disk

In order to skip passphrase hassle, let’s use Gnome keyring.

Let me store my_pass_phrase_value in Gnome keyring.

$ secret-tool store --Label='LUKS passowrd for disk.img' LUKS disk_img

Then, use Gnome keyring to decrypt luks device.

$ secret-tool lookup LUKS disk_img | \
  cryptsetup open disk.img disk --type luks --key-file -

This avoids storing key file data in plain text.

For ~/path/to/mnt, use~/Document. For ~/.gnupg, ~/.ssh, bind mount may be an idea.

Hints for LUKS and its auto-unlocking on the web

• Howto
  • https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/
  • https://fedoraproject.org/wiki/Disk_Encryption_User_Guide