Backup your server to an encrypted disk

Yes!!! It is very important to backup your server. Many things actually can go wrong so let me share a few:

  • your hard disk crashes and you did not use mirroring
  • your fingers where a bit loose when you where removing something (as a root?)
  • your girl/boyfriend hit the “del” button a bit to enthusiastically
  • a nasty hacker did a format on your server (or was that just an excuse?)

Anyway, in all cases… you lost something that you will not get back without a backup.

I have updated the part where I use rsync to make my backup. It now uses unison. The advantage is that now old files (deleted on the base filesystem) will also be deleted in the backup. Of course, to prevent huge problems I recommend everybody to also make backups that are not overwritten (by unison).

Please note that you need unison to be installed to perform the updated steps. You can install unison by typing:

sudo apt-get install unison


How to backup

There are many ways to backup your data. You could attach a drive to your workstation, login and download all data. Imagine you have 500Gb of data… then this does not sound feasible anymore. You can hire space online, but that costs or is very slow. You can build in a new hard disk, but when your server burns down… it was useless. You can put everything on an external drive, but when that is stolen (as it is easy to take) your data is on the street… or is it? Well, there this nice how-to actually comes in!

How to prepare the disk for the backup

Well, this how to describes how I prepared my external hard drive to serve as a backup medium for my server. I had a few demands and a few flexibilities which makes this setup my best choice:

  • I want to backup all data on my server (not the OS)
  • I want to put it on an external hard disk (so I can keep it somewhere else then where my server is)
  • I want it to be secure/encrypted
  • I want it to be easily done
  • I only need a backup once every week (chance of failure is small and changes on the disk are scarce)
  • I do not need/want old backups and if I want one then I will buy a new hard disk
  • I want it to work with my Debian server

How to prepare the encrypted disk

Let us take this step by step. As I am talking about a server I expect you to not have a GUI present, that you use ssh to log in to your server and that you have basic know-how to start with. Also, I assume that you can install packages that are not installed yet and so on…

  1. Overwrite the whole drive with random data in order to slow down attacks on the encryption. At the same time perform a bad blocks scan to make sure the hard drive is not going to die too soon: badblocks -c 10240 -s -w -t random -v /dev/
  2. Install the required packages: aptitude install cryptsetup hashalot (now reboot the system or load the installed modules manually)
  3. Create one or more partitions on the drive: cfdisk /dev/
  4. Setup LUKS: cryptsetup –verbose –verify-passphrase luksFormat /dev/
  5. Now you want to enter a good password and not some crappy first name as this could make all this a waste of time.
  6. Open the encrypted device and assign it to a virtual /dev/mapper/backup device: cryptsetup luksOpen /dev/ backup
  7. Create a filesystem on the encrypted device: mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/backup (I used ext3 with some optimizations, see mke2fs(8))
  8. Mount the encrypted partition: mkdir /media/backupdisk mount /dev/mapper/backup /media/backupdisk/
  9. For unmounting use: umount /media/backupdisk cryptsetup luksClose /dev/mapper/backup

(I took much of the description from this website).

Now the backup

As mentioned before, I will use rsync to backup my data. It is a neat, easy and quick way. As I will be backing up many Gbs I do not want a slow process. Therefore rsync is my friend. So now let me describe how I do an update in my server (you will need root access):

  1. Attach the disk to the server (via usb?)
  2. Find the disk blkid Now look for the disk with TYPE=”crypt_LUKS”
  3. Now open the encrypted device cryptsetup luksOpen /dev/ backup
  4. Time to enter that good password
  5. Let’s mount the partition mount /dev/mapper/backup /media/backupdisk/
  6. When the disk is ready to be used we start with the unison backup procedure: unison /home /media/backupdisk/server
_When the disk is ready to be used we start with the rsync backup: rsync -a /home /media/backupdisk/server/_
  1. When ready, we have to umount the disk umount /dev/mapper/backup cryptsetup luksClose backup
  2. Now you just need to store that disk somewhere safe!

Well, that is all. I hope it was useful for you. At least it is again useful for me as I probably want to check again later how I had to do this again.