diff options
Diffstat (limited to 'docs/backups.md')
| -rw-r--r-- | docs/backups.md | 111 |
1 files changed, 87 insertions, 24 deletions
diff --git a/docs/backups.md b/docs/backups.md index c612116..d39a85c 100644 --- a/docs/backups.md +++ b/docs/backups.md @@ -11,33 +11,73 @@ This mostly has to do with `hydractl` commands such as * But all this does not exempt a team from manually testing backups and to make their own offline copies in external drives. +## Parameters + +Start by running the following commands in your terminal, adjusting to your +case: + + export HYDRA="hydra-name" + export DISK="disk-name" + export DEVICE="/dev/sdc" + export USER="`whoami`" + export DOMAIN="`facter domain`" + + if [ "$USER" != "root" ]; then + export SUDO="sudo" + fi + ## New external drive -Proceed as follows +To add a new external drive into the pool, proceed as follows. + +First make sure to create a passphrase for the new disk into your hydra's keyring: + + keyringer $HYDRA pwgen disks/$DISK.$DOMAIN/luks/root + +If you're using a USB drive, run this before plugging it on the computer: + + hydractl usb-enable + +With the disk plugged in, make a layout with single `${DEVICE}1` partition +(example: a disk with only one partition like `/dev/sdc1`): + + $SUDO cfdisk ${DEVICE} + +Now create the LUKS encryption header in this new disk, using the passphrase +generated above by keyringer: - disk=new-disk-name - device=/dev/sdc - hydractl usb-enable # run this for USB drives, then connect the disk - sudo cfdisk ${device} # layout with single ${device}1 partition - sudo cryptsetup luksFormat ${device}1 - sudo cryptsetup luksOpen ${device}1 $disk - sudo mkfs.ext4 /dev/mapper/$disk - sudo mkdir /media/$disk - sudo mount /dev/mapper/$disk /media/$disk - sudo mkdir /media/$disk/media.`facter domain` - sudo chown `whoami`: /media/$disk/media.`facter domain` + $SUDO cryptsetup luksFormat ${DEVICE}1 -## NAS +If you want to make this volume to have a label (helpful for detecting the disk +etc; downside: third parties can easily get the name), run this command: + + $SUDO cryptsetup config ${DEVICE}1 --label ${DISK} + +Open the encrypted volume and create the basic filesystem structure needed +to sync content: + + $SUDO cryptsetup luksOpen ${DEVICE}1 $DISK + $SUDO mkfs.ext4 /dev/mapper/$DISK + $SUDO mkdir /media/$DISK + $SUDO mount /dev/mapper/$DISK /media/$DISK + $SUDO mkdir /media/$DISK/media.$DOMAIN + $SUDO chown ${USER}: /media/$DISK/media.$DOMAIN + +Finally, umount the drive: + + hydractl umount-media $DISK + +## Regular sync These commands should be enough to sync all media archives: hydractl usb-enable # run this for USB drives, then connect the disk - hydractl mount-media $MEDIA - hydractl sync-media $MEDIA + hydractl mount-media $DISK + hydractl sync-media $DISK As this should handle syncing all backups: - hydractl sync-backups $MEDIA + hydractl sync-backups $DISK ## TPC @@ -57,6 +97,11 @@ Then do the following: hydractl mount-media $TPC hydractl sync-tpc $TPC +If you don't want to do a full TPC sync, but just want to sync the home folders +(which is faster), use the following instead of the last command above: + + hydractl sync-home $TPC + To sync archives and remote backups, proceed with as explained in the NAS section. @@ -71,10 +116,10 @@ homedir backups in the external archive/backup volume. You might want to backup the whole SSD, M-SATA or microSD from your appliances. If so, proceed as follows with the appliance device connected in your TPC: - export appliance=appliance-name - export dest="/var/backups/remote/$appliance.`facter domain`/image/`date +%Y%m%d`" - sudo mkdir -p $dest - dcfldd if=/dev/sdb | bzip2 > $dest/$appliance.img.bz2 + export APPLIANCE="appliance-name" + export DEST="/var/backups/remote/${APPLIANCE}.${DOMAIN}/image/`date +%Y%m%d`" + $SUDO mkdir -p $dest + dcfldd if=/dev/sdb | bzip2 > $DEST/${APPLIANCE}.img.bz2 ## Smartphone @@ -100,7 +145,9 @@ A Backup Kit is a box with the following items: * External encrypted archive/backup disk. * Case for SSD transportation. * Laptop power adapter and cables. -* Dockstation SATA/USB/M.2/microSD/etc (with power adapter). +* Dockstation SATA/USB/M.2/microSD/etc (with power adapter -- usually 12V). +* Power adapter for external hard drives (usually 12V, and might be compatible + with the dockstationadapter, so you might carry just one). * USB power adapter and cable (including USB 2, USB 3 and USB C). * USB cables (USB 2, USB 3 and USB C) for the Dockstation and the external drive. * TPC laptop with battery and TPS (SSD, M.2 etc), optionally with a UltraBase/Dockstation. @@ -113,7 +160,13 @@ This may be the ultimate disaster recovery kit for your Hydra! ## Restore -Examples according to the software used to make the backup. +Having backup data leaked is a serious security issue, and that's why we +encrypt backups. +But losing access to the encrypted material is data loss, so it's important +to make sure in advance that we can get back the material. + +Procedures vary, and the following examples are sorted according to the +software used to make the backup. ### Duplicity @@ -128,10 +181,11 @@ For [duplicity][]: For [Borg][]: + export PATH_TO_RESTORE="path/to/be/restored" mkdir ~/temp/misc/restore cd ~/temp/misc/restore borg list ssh://$USER@$SERVER:$PORT//var/backups/users/$USER/borg - borg extract ssh://$USER@$SERVER:$PORT//var/backups/users/$USER/borg::$USER-2018-06-11T17:07:39 mnt/crypt/home/$USER/$FILE_OR_FOLDER + borg extract ssh://$USER@$SERVER:$PORT//var/backups/users/$USER/borg::$USER-2018-06-11T17:07:39 mnt/crypt/home/$USER/$PATH_TO_RESTORE Make sure to cleanup `~/temp/misc/restore` after recovering what you need. @@ -153,6 +207,15 @@ Note on backup keys: encrypted-storage workstations_ (recommendation is to not do this on the remote repository). +Just to be sure, let's emphasize Borg's own recommendation: + +> IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo! +> +> If you used a repokey mode, the key is stored in the repo, but you should +> back it up separately. +> Use "borg key export" to export the key, optionally in printable format. +> Write down the passphrase. Store both at safe place(s). + [Borg]: https://www.borgbackup.org/ [Puppet]: https://www.puppet.com/ [not possible anymore]: https://github.com/borgbackup/borg/issues/7047 @@ -162,6 +225,6 @@ Note on backup keys: For [eCryptfs][]: - sudo ecryptfs-recover-private /media/$MEDIA/home/.ecryptfs/$USER/.Private + $SUDO ecryptfs-recover-private /media/$DISK/home/.ecryptfs/$USER/.Private [eCryptfs]: https://www.ecryptfs.org/ |