Simple interface for encrypted offline backups with snapshots support.
- Encryption through LUKS.
- Reliability of rsync for synchronization.
- Snapshot functionality through the use of btrfs filesystem.
- Multiple backup sources (partitions or folders).
- Exclude files from backups (such as
/var/cache/) using standard Include/Exclude Pattern Rules from rsync.
After configuration, all you have to run for making backups is:
sudo do-backup dobackup && sudo do-backup umount
The backup interface is very simple. Usage:
do-backup [options] command [source..].
Valid options are:
-c FILE: Use config file
FILEinstead of .backup-config (in program dir).
-n: Dry-run, print the commands without executing.
-v: Verbose output, print commands as they are executed.
- sources Print all possible backup sources.
- testrsync Dry-run rsync (without destination mount).
- mount Mount the storage and exit (needs root).
- umount Unmount storage and exit (needs root).
- dobackup Mount and backup.
Note: if no source is given, everything will be included.
Quick Start Guide
This section describes how to prepare a new disk for unencrypted backups. When
the "backup configuration" is mentioned, it refers to the
in the program directory which needs to be created first. You can use
sample.backup-config as inspiration.
Before you can make backups, you will need an external disk (USB / eSATA / ...). Create a btrfs partition on it:
sudo mkfs.btrfs /dev/sdc1
Locate the partition identifier using
sudo blkid and add it to the backup
configuration. Example blkid output:
/dev/sdc1: UUID="da66d110-9119-43a1-bedf-ef797cc685fa" TYPE="btrfs"
The corresponding backup configuration line:
What to backup
The backup program backups everything in a single mount point and does not cross
devices. Look in the
mount output or
/etc/fstab to find locations. If you
have a single root filesystem with both
/home on it, but want to
backup them separately, use this backup configuration:
The double slash (
//) marks the end of a mount point, any path after it is
treated as directory below that mountpoint.
Optionally you can specify exclusion patterns for each backup source. These patterns are stored in files named after the backup source. To enable the use of this, specify the path to the directory in the backup configuration:
If you would like to ignore
~/.cache/ for each
/home/user/rubbish (for a specific user), you will create these
# /home/user/rsync-excl.d/Root /var/cache/ /var/tmp/ # /home/user/rsync-excl.d/Home # Note: relative to the backup source /home /*/.cache/ /user/rubbish
Comments are possible by using
#, for more possible patterns consult the
rsync manual page, section Include/Exclude Pattern Rules.
Now that you have configured the backup program, you are ready to perform backups. To make a backup of everything, invoke:
sudo do-backup dobackup
When finished, unmount the destination drive with:
sudo do-backup umount
If you are in a hurry and want to save just your Home backup source, it is also possible to specify that single backup source:
sudo do-backup backup Home
If you would like to check the list of files that would be transferred without
actually copying files, use the
sudo do-backup testrsync Root > /tmp/test-rsync.txt
For encrypted backups, there is another layer between the partition and the destination filesystem. If you have to start from scratch, create a backup partition as follows:
# Format partition, and enter a passphrase. DO NOT FORGET IT! sudo cryptsetup luksFormat /dev/sdb1 # Unlock the partition after entering a passphrase. sudo cryptsetup luksOpen /dev/sdb1 backup # Finally format the plaintext layer sudo mkfs.btrfs /dev/mapper/backup
As for the backup configuration, you additionally have to set the
variable. If the
sudo blkid output looks like this:
/dev/sdb1: UUID="a0becda8-1af5-4767-9df0-c5a21508eaff" TYPE="crypto_LUKS" /dev/mapper/luks-a0becda8-1af5-4767-9df0-c5a21508eaff: UUID="e33dd512-9d4e-4852-9fa0-bd0e7689455d" TYPE="btrfs"
then use this:
Multiple backup disks
If you have multiple backup disks, you can specify a list of them:
luks_UUID=e33dd512-9d4e-4852-9fa0-bd0e7689455d fs_UUID=a0becda8-1af5-4767-9df0-c5a21508eaff luks_UUID=2f7575dd-4e8a-40f0-97a9-f478fadf048a fs_UUID=000830f6-8607-4703-8a5e-7e549416f773
At any point, only one of these disks may be present. An error is printed
otherwise. Numbers have no special meaning except for matching a
luks_UUID=e33dd512-9d4e-4852-9fa0-bd0e7689455d fs_UUID=a0becda8-1af5-4767-9df0-c5a21508eaff # The following two lines are commented out because the disk is broken. #luks_UUID=2f7575dd-4e8a-40f0-97a9-f478fadf048a #fs_UUID=000830f6-8607-4703-8a5e-7e549416f773 # Unencrypted backup target (note: no corresponding luks_UUID is set). fs_UUID=2fa585a8-455a-4587-ad5c-722109bb33eb
This feature is intended to support a backup strategy where you rotate through multiple disks and have independent copies to each of them. This makes it easier to handle offsite backups and to safeguard against catastrophic data loss in case your system explodes while a backup is in progress to a single disk.
The backup storage is mounted at
/mnt (or whatever is specified by the
fs_mountpoint configuration option). The directory structure for two backup
sources Home and Root is:
Home/ (btrfs subvolume) Root/ snapshots/Root_20150123/ (btrfs read-only snapshots) snapshots/Root_20150601/ snapshots/Home_20150123/ snapshots/Home_20150124/ snapshots/Home_20150601/
To perform a restore, simply copy the files from the snapshots.
Currently only btrfs is supported because it is the only mainline filesystem which provided snapshot functionality.
Copyright (c) 2015 Peter Wu <email@example.com>
This project is licensed under the MIT license. See the LICENSE file for more details.