Poor Man’s Backup

Introduction

We’re basically setting up a crontab with two components:

Requirements:

An alternative would be to use rsync remotely from a dedicated backup host. And there’s also:

As for database backups you might add a few mysqldumps to the script or eventually use Mydumper.

Dedibackup

First, check that you can reach your FTP service e.g. Dedibackup auth based on MAC address (note the , and absence of a password afterwards), as long as you enable autologin

lftp -u auto, DEDIBACKUP_SERVER_ADDRESS

and eventually clean your shit up

#glob -a rm -r -f *

GPG v1 symmetric encryption

gpg --version | head -1 # v1 is fine
gpg --version | grep Cipher
echo lala | gpg --no-use-agent --symmetric --cipher-algo TWOFISH --passphrase 'KEY_HERE' --output lala.gpg
file lala.gpg
gpg --no-use-agent --decrypt --cipher-algo TWOFISH --passphrase 'KEY_HERE' < lala.gpg

OpenSSL symmetric encryption

openssl version
echo lala | openssl enc -aes-256-cbc -e -k 'LALA' -out lala.aes
file lala.aes
openssl enc -aes-256-cbc -d -k 'LALA' < lala.aes

Setup

Fetch the script templates as root, rename and set the executable bits

cd /root/bin/
wget http://pub.nethence.com/bin/backup.ksh.txt
wget http://pub.nethence.com/bin/backup.lst.txt
wget http://pub.nethence.com/bin/backup.upload.ksh.txt
cp backup.ksh.txt backup.ksh
cp backup.lst.txt backup.lst
cp backup.upload.ksh.txt backup.upload.ksh
chmod +x backup.ksh backup.upload.ksh

Tune a few variables

mkdir -p /data/backup/
vi backup.ksh

backupdir=/data/backup
backuplist=/root/bin/backup.lst
secret=GENERATE-NEW-SYMMETRIC-KEY-HERE
maxold=10

and keep a copy of the key some place outside the server you wanna backup. Also write down your FTP password that you get from the DediBackup console, as you will still be able to reach your backups through normal FTP login if needed from a remote site.

Tune what folders you want to backup,

vi backup.lst

Tune your FTP server/login/pass,

vi backup.upload.ksh

server=FTP-SERVER

Acceptance

Check the diffs

diff -bu backup.ksh.txt backup.ksh    
diff -bu backup.upload.ksh.txt backup.upload.ksh    

Run a manual backup

time nice /root/bin/backup.ksh
top -b | grep gpg # multi-cores >100%
ll /data/backup/

then attempt to upload it

time nice /root/bin/backup.upload.ksh

Automation

Enable the shit every night as root,

crontab -e

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/pkg/bin:/usr/local/bin

0 3 * * * time nice /root/bin/backup.ksh && time nice /root/bin/backup.upload.ksh

Resources

lftp

lftp user credentials do not work with -e or -c https://unix.stackexchange.com/questions/469787/lftp-user-credentials-do-not-work-with-e-or-c

gpg

Encrypting and decrypting documents https://www.gnupg.org/gph/en/manual/x110.html

Symmetric Key Encryption with GnuPG http://www.savvyadmin.com/symmetric-key-encryption-with-gnupg/

GPG Encryption Guide - Part 4 (Symmetric Encryption) https://www.tutonics.com/2012/11/gpg-encryption-guide-part-4-symmetric.html

Home directory backup - The quick ‘n’ dirty guide https://www.dedoimedo.com/computers/linux-home-dir-backup-tar-gpg-guide.html

duplicity https://www.digitalocean.com/community/tutorials/how-to-use-duplicity-with-gpg-to-securely-automate-backups-on-ubuntu

Thread: gpg: gpg-agent is not available in this session https://ubuntuforums.org/showthread.php?t=1420156

gpg encrypt file without keyboard interaction [closed] https://stackoverflow.com/questions/9460140/gpg-encrypt-file-without-keyboard-interaction

How can I automate gpg decryption which uses a passphrase while keeping it secret? https://unix.stackexchange.com/questions/400772/how-can-i-automate-gpg-decryption-which-uses-a-passphrase-while-keeping-it-secre

Encrypt tar.gz file on create https://askubuntu.com/questions/95920/encrypt-tar-gz-file-on-create

ssl

How to password protect gzip files on the command line? https://superuser.com/questions/162624/how-to-password-protect-gzip-files-on-the-command-line

How to Encrypt and Decrypt Files and Directories Using Tar and OpenSSL https://www.tecmint.com/encrypt-decrypt-files-tar-openssl-linux/

How should I change encryption according to *** WARNING : deprecated key derivation used https://askubuntu.com/questions/1093591/how-should-i-change-encryption-according-to-warning-deprecated-key-derivat


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml