-
Notifications
You must be signed in to change notification settings - Fork 71
/
create-encrypted-backup
executable file
·73 lines (63 loc) · 2.38 KB
/
create-encrypted-backup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/bin/bash -eu
# Create an encrypted backup (in 5 GB pieces) inside our scratch space.
#
# This can be put on a hard drive and stored under the SM's mattress, uploaded
# to Google Nearline, automatically uploaded to Box.com, etc.
set -o pipefail
ARCHIVE_DIRECTORY="/opt/backups/scratch/archive"
TARGET_VOLUME="/dev/vg-backups/backups-live"
SNAPSHOT_PATH="/dev/vg-backups/backups-snapshot"
# import staff keys into temporary gpg dir
gpgdir=$(mktemp -d)
gpg --homedir "$gpgdir" --no-tty --quiet --import /opt/share/backups/keys/*.asc
# make a LVM snapshot
if [ -e "$SNAPSHOT_PATH" ]; then
echo "Snapshot already exists: ${SNAPSHOT_PATH}" >&2
exit 1
fi
# try really hard to remove logical volume on exit
cleanup() {
if [ -e "$SNAPSHOT_PATH" ]; then
echo "Removing logical volume: $SNAPSHOT_PATH"
lvremove -f "$SNAPSHOT_PATH"
fi
}
trap cleanup EXIT
# we don't have *quite* enough space to make a snapshot with the full 2TB of
# disk space, so we make a large enough snapshot that we'll *probably* avoid
# trouble
lvcreate -L 500G --snapshot --name "$SNAPSHOT_PATH" "$TARGET_VOLUME"
umask 077
rm -rf "$ARCHIVE_DIRECTORY"
mkdir "$ARCHIVE_DIRECTORY"
compress() {
dd if="$SNAPSHOT_PATH" bs=32M | pigz
}
# this is the filter that `split` will use to encrypt each .part file after
# splitting. $FILE is the .part filename, we append .gpg to that.
encrypt_cmd="gpg --homedir $gpgdir \
--no-tty \
--quiet \
--encrypt \
--trust-model always \
--compress-algo none \
--recipient ckuehl@berkeley.edu \
--recipient jvperrin@ocf.berkeley.edu \
--recipient mattmcal@ocf.berkeley.edu \
--recipient kpengboy@ocf.berkeley.edu \
--recipient abizer@ocf.berkeley.edu \
--recipient benzhang4@gmail.com \
--recipient daniel@dkess.me \
--recipient kmo@ocf.berkeley.edu \
--recipient jonathan@bbs4.us \
--output \$FILE.gpg -"
split_parts_and_encrypt() {
split -d -a 4 -b 5G --filter "$encrypt_cmd" - \
"${ARCHIVE_DIRECTORY}/backup-$(date +%Y-%m-%d).img.gz.part"
}
# Only show pv output if the terminal is interactive (no cron email pv spam)
if [ -t 0 ]; then
compress | pv | split_parts_and_encrypt
else
compress | split_parts_and_encrypt
fi