encrypted laptop backups using duply

Written in

by

It’s time to start regular backups of my laptop. I used to do backup using dd (automated by our InstallCD – tweaked Ubuntu installation CD with special dialog scripts) to our department server, which is then backup to tapes, but now when that server is running out of space, I need to figure out some other solution.

I realized that when my girlfriend throw host sweat tea to my laptop keyboard. Thanks god I have Lenovo T series with removable keyboard that can be washed under floating water. It has actually even small channels at bottom where water can go away from keyboard. Unfortunately I haven’t read manual in advance and I cut a connector cable, so I had to buy a new keyboard anyway, but it was a good experience. This time was my data OK, bat what about next time?

I found USB frame with 320G disk. It is not exactly „new“ (but for time being it works fine). Probability that my backup harddisk and laptop data went away in same time is relatively small (except that disk might go out during restore, it would be baaad!). My laptop has 128G SDD disk, so it would be enough space for 2 full and some incremental backups.

My requirements:

  • encrypted backups (I am serious about security if my data are in stakes)
  • compressed backups (to save some place on backup media)
  • incremental backups (to save some time)
  • simple command to run backups (I want to run in if specific USB disk is attached)

Pretty simple, huh? I googled for a while and I found a blog post about duply – simple profile based front-end for duplicity.

So my configuration (backuped on the disk unencrypted):

sudo cat /etc/duply/usb/conf
[sudo] password for nax:
GPG_KEY='7CF2E9A2'
GPG_PW='very_secret_first_password'
GPG_OPTS="--compress-algo=bzip2 --bzip2-compress-level=9 --always-trust"
TARGET='file:///media/362db44c-aa3c-5405-9893-3c662d9dff2e'
SOURCE='/'
VERBOSITY=6

It took a few hours to backup all my data, but another rounds are very quick (like 5min or so).

Next stage was that I wanted some nice gui which say when it is safe to remove the disk. Idea was to show some question on startup (if I want just resume something from backup, I do not want anything backup first) and if answer is positive, run backup.

Seems a bit easy, but I finally learn how udev subsystem works. To generate question was relatively easy with zenity and as a nice bonus it can do some progress bar as indication that backup is still running.


#!/bin/bash
DEV=/dev/sdb1
MOUNTPOINT=/media/362db44c-aa3c-5405-9893-3c662d9dff2e
export DISPLAY=":0.0"
zenity --question --text "Would you like to run backup now?"
if [ $? -eq 0 ] && [ -e $DEV ]; then
mkdir -p $MOUNTPOINT
mount $DEV $MOUNTPOINT
su jh209173 -c 'gksudo /usr/bin/duply usb backup' | tee >(zenity --progress --pulsate --auto-close --auto-kill --text="Backuping...") > /media/251db33c-aa2c-4394-8782-2c551d8dff1e/logs/$(date '+%Y%m%d-%H:%M').$$
umount $MOUNTPOINT
rmdir $MOUNTPOINT
zenity --info --text "Backup is now complete! It is safe to disconnect the disk now."
fi
exit 0

If is run on background to allow system finish mount of the usb disk.

You can see that there is a lot of su and sudo. It is because of path to GPG keys and because I run it as root by udev. For that purpose I found most useful a thread in archlinux forum.


cat /etc/udev/rules.d/05-usb-backup.rules
ACTION=="add", BUS=="usb", KERNEL=="sd*1", SUBSYSTEMS=="usb", SUBSYSTEM=="block", SYSFS{serial}=="DEF21AFCD20F", RUN+="/usr/local/bin/backup-to-usb.sh"

First I did a mistake that I specified just SYSFS{serial}. In that case the script is executed at least 8 times. If you specify other values (like KERNEL) it works as expected. Reason is that serial is reported in many events during whole process (bus recognize a new device with serial, kernel add device sdb with that serial, kernel add device sdb1 with same serial …)

UPDATE – just 1 day after I wrote this post, new article on root.cz were published: Jak zĂĄlohovat rychle a bezbolestně (in czech only).

Tags