Poor Man’s Backup

           (___)
           ( O )
    /-------\ / 
   / |     ||V  
  *  ||----||   
     ^^    ^^   

Introduction

we are setting up a crontab with two components

warning: beware of symlinks - the target folders defined in backup.lst must not be symlinks (parent folder being a symlink is ok)

for alternatives see poor-mans-backup-rsync

Requirements

ubuntu

apt install ksh lftp

in case you choose GNUPG

apt purge gnupg2 gnupg
apt install gnupg1

otherwise openssl should be there already

slackware

slackpkg search ksh93
slackpkg search lftp

netbsd

(PDKSH in da place)

pkg_info | grep lftp

Setup

Dedibackup

first things first, check that you can reach your FTP service e.g. Dedibackup auth based on MAC address (note the , and absence of a password afterwards), as long as you enable autologin

lftp -u auto, DEDIBACKUP_SERVER_ADDRESS

and eventually wipe out your previous backup data

#glob -a rm -r -f *

GPG v1

which gpg || ln -s gpg1 /usr/bin/gpg
ls -lF /usr/bin/gpg

version 1 is fine and check for available ciphers for symmetric encryption

gpg --version

now here’s how to encrypt

echo lala | gpg --no-use-agent --symmetric --cipher-algo TWOFISH \
    --passphrase 'SYMMETRIC-KEY-HERE' --output lala.gpg
file lala.gpg

and how to decrypt

gpg --no-use-agent --decrypt --cipher-algo TWOFISH \
    --passphrase 'SYMMETRIC-KEY-HERE' < lala.gpg

OpenSSL symmetric encryption

openssl version
openssl enc -ciphers
key=SYMMETRIC-KEY-HERE

now here’s how to encrypt

echo lala | openssl enc -camellia-256-ctr -e -k "$key" -pbkdf2 -out lala.camellia
file lala.camellia
cat lala.camellia

and how to decrypt

openssl enc -camellia-256-ctr -d -k "$key" -pbkdf2 < lala.camellia

Setup

Fetch the script templates as root, rename, tune a few variables and set the executable bit

cd /root/
wget https://pub.nethence.com/bin/backup/backup.ksh.txt
wget https://pub.nethence.com/bin/backup/upload.ksh.txt
mv backup.ksh.txt backup.ksh
mv upload.ksh.txt upload.ksh
chmod +x backup.ksh
chmod +x upload.ksh

vi /root/backup.conf

[[ -z $HOSTNAME ]] && HOSTNAME=`uname -n`

backupdir=/data/backup/$HOSTNAME
maxold=5
secret="SYMMETRIC-KEY-HERE"

uploaddir=/data/backup
#rsync/ftp/none
method=ftp

# FTP
server=FTP-SERVER
user=auto
pass=""

# RSYNC/SSH
#rsyncdest=SSH-SERVER:/path/to

chmod 600 backup.conf

vi /root/backup.lst

/etc
/root
/var

and keep a copy of the key some place outside the server you wanna backup. Also write down your FTP password that you get from the DediBackup console, as you will still be able to reach your backups through normal FTP login if needed from a remote site.

Ready to go

check the configurations again

chmod 600 /root/backup.conf
chmod 600 /root/backup.lst
cat /root/backup.conf
cat /root/backup.lst

attempt a manual backup and check for resulting files

mkdir -p /data/backup/$HOSTNAME/
#mkdir -p /var/backup/$HOSTNAME/
time nice /root/backup.ksh
ls -lhF /data/backup/$HOSTNAME/

also attempt a bulk upload.

time nice /root/upload.ksh

and finally enable the job every night as a priviledged cron job as follows.

netbsd

vi /etc/daily

slackware

vi /root/DAILY

time nice /root/backup.ksh
time nice /root/upload.ksh

ubuntu

crontab -e

51 03 * * * time nice /root/backup.ksh; time nice /root/upload.ksh

Acceptance

attempt to restore from an encrypted archive (decrypt with -d instead of -e)

secret=SYMMETRIC-KEY-HERE

bkpfile=FILE.tar.lz4.camellia
tarfile=${bkpfile%\.camellia}

file $bkpfile
openssl enc -d -camellia-256-ctr -k "$secret" -pbkdf2 -in $bkpfile -out $tarfile
file $tarfile

mkdir lala/
tar -I lz4 -xpSf $tarfile -C lala/

eventually check the content of every archive sample, just to make sure you truly got the folder content, in case it’s a symlink.

Additional notes

eventually keep the script up-to-date

curl -s https://pub.nethence.com/bin/backup/backup.ksh.txt | diff -bu - backup.ksh

Resources

lftp

lftp user credentials do not work with -e or -c https://unix.stackexchange.com/questions/469787/lftp-user-credentials-do-not-work-with-e-or-c

Mirror copying hidden (dot) files regardless. #251 https://github.com/lavv17/lftp/issues/251 –> or consider yafc instead?

lz4

How to use tar with lz4? https://stackoverflow.com/questions/24063846/how-to-use-tar-with-lz4

openssl enc

openssl-enc, enc - symmetric cipher routines https://man.netbsd.org/openssl_enc.1

How to password protect gzip files on the command line? https://superuser.com/questions/162624/how-to-password-protect-gzip-files-on-the-command-line

How to Encrypt and Decrypt Files and Directories Using Tar and OpenSSL https://www.tecmint.com/encrypt-decrypt-files-tar-openssl-linux/

How should I change encryption according to *** WARNING : deprecated key derivation used https://askubuntu.com/questions/1093591/how-should-i-change-encryption-according-to-warning-deprecated-key-derivat

How to use OpenSSL to encrypt/decrypt files? https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files

gnupg

Encrypting and decrypting documents https://www.gnupg.org/gph/en/manual/x110.html

Symmetric Key Encryption with GnuPG http://www.savvyadmin.com/symmetric-key-encryption-with-gnupg/

GPG Encryption Guide - Part 4 (Symmetric Encryption) https://www.tutonics.com/2012/11/gpg-encryption-guide-part-4-symmetric.html

Home directory backup - The quick ‘n’ dirty guide https://www.dedoimedo.com/computers/linux-home-dir-backup-tar-gpg-guide.html

duplicity https://www.digitalocean.com/community/tutorials/how-to-use-duplicity-with-gpg-to-securely-automate-backups-on-ubuntu

Thread: gpg: gpg-agent is not available in this session https://ubuntuforums.org/showthread.php?t=1420156

gpg encrypt file without keyboard interaction [closed] https://stackoverflow.com/questions/9460140/gpg-encrypt-file-without-keyboard-interaction

How can I automate gpg decryption which uses a passphrase while keeping it secret? https://unix.stackexchange.com/questions/400772/how-can-i-automate-gpg-decryption-which-uses-a-passphrase-while-keeping-it-secre

Encrypt tar.gz file on create https://askubuntu.com/questions/95920/encrypt-tar-gz-file-on-create


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5
Copyright © 2022 Pierre-Philipp Braun