Poor Man’s Backup

           (___)
           ( O )
    /-------\ / 
   / |     ||V  
  *  ||----||   
     ^^    ^^   

Introduction

We’re basically setting up a crontab with two components:

• local backup with encryption
• upload of the local backup to some remote FTP server

Requirements

apt install ksh93 lftp
openssl version

Setup

Dedibackup

First, check that you can reach your FTP service e.g. Dedibackup auth based on MAC address (note the , and absence of a password afterwards), as long as you enable autologin

lftp -u auto, DEDIBACKUP_SERVER_ADDRESS

and eventually clean your shit up

#glob -a rm -r -f *

GPG v1 symmetric encryption

gpg --version | head -1 # v1 is fine
gpg --version | grep Cipher
echo lala | gpg --no-use-agent --symmetric --cipher-algo TWOFISH --passphrase 'KEY_HERE' --output lala.gpg
file lala.gpg
gpg --no-use-agent --decrypt --cipher-algo TWOFISH --passphrase 'KEY_HERE' < lala.gpg

OpenSSL symmetric encryption

openssl version
echo lala | openssl enc -aes-256-cbc -e -k 'LALA' -out lala.aes
file lala.aes
openssl enc -aes-256-cbc -d -k 'SYMMETRIC-KEY-HERE' < lala.aes

Setup

Fetch the script templates as root, rename, tune a few variables and set the executable bit

cd /root/
wget https://pub.nethence.com/bin/backup/backup.ksh.txt
wget https://pub.nethence.com/bin/backup/upload.ksh.txt
mv backup.ksh.txt backup.ksh
mv upload.ksh.txt upload.ksh
chmod +x backup.ksh
chmod +x upload.ksh

mkdir /data/backup/
vi backup.conf

backupdir=/data/backup/HOSTNAME
maxold=5
secret=SYMMETRIC-KEY-HERE

#rsync/ftp/none
method=ftp

# FTP
server=FTP-SERVER
user=auto
pass=""

# RSYNC/SSH
#rsyncdest=SSH-SERVER:/path/to

chmod 600 backup.conf

vi backup.lst

/root
/etc
...

and keep a copy of the key some place outside the server you wanna backup. Also write down your FTP password that you get from the DediBackup console, as you will still be able to reach your backups through normal FTP login if needed from a remote site.

Ready to go

Keep the script up-to-date

curl -s https://pub.nethence.com/bin/backup/backup.ksh.txt | diff -bu - backup.ksh

Run a manual backup

time nice /root/backup.ksh

Look for resulting files and check that this is multi-core capable (>100%)

ls -lF /data/backup/
top -b | grep ssl
top -b | grep gpg

And finally enable the job every night as a priviledged cron job, be it NetBSD

vi /etc/daily

or Slackware

vi /root/DAILY

time nice /root/backup.ksh
time nice /root/upload.ksh
echo

or Ubuntu

crontab -e

51 03 * * * time nice /root/backup.ksh; time nice /root/upload.ksh

Acceptance

Attempt to restore from the encrypted archive (decrypt with -d instead of -e)

secret=KEY-HERE
bkpfile=2021-01-13-04-00-02.data-www.tar.lz4.aes
tarfile=${bkpfile%\.aes}

mkdir lala/
file $bkpfile
openssl enc -d -aes-256-cbc -k "$secret" -pbkdf2 -in $bkpfile -out $tarfile
file $tarfile
tar -I lz4 -xpSf $tarfile -C lala/

Alternatives

• rsync from a dedicated backup host
• Borg
• afio http://members.chello.nl/~k.holtman/afio.html
• NetBSD only http://netbsd.gw.com/cgi-bin/man-cgi?dump
• duplicity+duply

As for database backups you might add a few mysqldumps to the script or eventually use Mydumper.

with rsync

another simple way to deal with backups looks like this at panix (netbsd/pv xen host)

vi /etc/inetd.conf

rsync           stream  tcp     nowait  root    /usr/pkg/bin/rsync      rsync --daemon --config=/etc/rsyncd.conf

vi /etc/rsyncd.conf

[BACKUPS]
    path = /
    auth users = root
    secrets file =  /etc/rsyncd.secrets
    uid = root
    hosts allow = backup.nyc.access.net

Resources

lftp

lftp user credentials do not work with -e or -c https://unix.stackexchange.com/questions/469787/lftp-user-credentials-do-not-work-with-e-or-c

Mirror copying hidden (dot) files regardless. #251 https://github.com/lavv17/lftp/issues/251 –> or consider yafc instead?

lz4

How to use tar with lz4? https://stackoverflow.com/questions/24063846/how-to-use-tar-with-lz4

openssl enc

How to password protect gzip files on the command line? https://superuser.com/questions/162624/how-to-password-protect-gzip-files-on-the-command-line

How to Encrypt and Decrypt Files and Directories Using Tar and OpenSSL https://www.tecmint.com/encrypt-decrypt-files-tar-openssl-linux/

How should I change encryption according to *** WARNING : deprecated key derivation used https://askubuntu.com/questions/1093591/how-should-i-change-encryption-according-to-warning-deprecated-key-derivat

How to use OpenSSL to encrypt/decrypt files? https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files

gpg

Encrypting and decrypting documents https://www.gnupg.org/gph/en/manual/x110.html

Symmetric Key Encryption with GnuPG http://www.savvyadmin.com/symmetric-key-encryption-with-gnupg/

GPG Encryption Guide - Part 4 (Symmetric Encryption) https://www.tutonics.com/2012/11/gpg-encryption-guide-part-4-symmetric.html

Home directory backup - The quick ‘n’ dirty guide https://www.dedoimedo.com/computers/linux-home-dir-backup-tar-gpg-guide.html

duplicity https://www.digitalocean.com/community/tutorials/how-to-use-duplicity-with-gpg-to-securely-automate-backups-on-ubuntu

Thread: gpg: gpg-agent is not available in this session https://ubuntuforums.org/showthread.php?t=1420156

gpg encrypt file without keyboard interaction [closed] https://stackoverflow.com/questions/9460140/gpg-encrypt-file-without-keyboard-interaction

How can I automate gpg decryption which uses a passphrase while keeping it secret? https://unix.stackexchange.com/questions/400772/how-can-i-automate-gpg-decryption-which-uses-a-passphrase-while-keeping-it-secre

Encrypt tar.gz file on create https://askubuntu.com/questions/95920/encrypt-tar-gz-file-on-create