encrypted backup

my new root server host offers—as part of the base package—a 100 GB backup package. access to that space is via SMBFS/CIFS, WebDAV, or FTP. as we don’t really want to have our data lying around in the clear, i needed a solution to encrypt the data before storing it on the backup server. also, i really wanted to use rsnapshot to do the job.

after a bit of mucking around, this is what i came up with (all as root obviously).

set up an encrypted backup image

  1. mount the backup server via smbfs/cifs at /mnt/backup-server.

  2. create a sparse disk image:

    # truncate -s 90G /mnt/backup-server/backup.image
  3. make it available as a loopback device:

    # losetup /dev/loop0 /mnt/backup-server/backup.image
  4. set up /dev/loop0 as a LUKS partition:

    # cryptsetup luksFormat /dev/loop0
  5. open the LUKS partition and make it available as /dev/mapper/backupfs:

    # cryptsetup luksOpen /dev/loop0 backupfs
  6. create an ext4 filesystem on the opened LUKS partition:

    # mkfs -t ext4 /dev/mapper/backupfs
  7. and mount it as /backups:

    # mkdir /backups
    # mount /dev/mapper/backupfs /backups
  8. set up rsnapshot and run it.

once rsnapshot has done its job, umount the backup image, release the loopback device, unmount the backup server.

automating it

to automate the whole setup:

  • to mount the backup server and the contained LUKS image, the mount-backup script

  • along with it’s companion to umount the whole stack, the umount-backup script

  • finally, a wrapper around rsnapshot to mount the backup image, run rsnapshot, capture stats, and unmount the backup image, the rsnapshot-local script