Documentation on my encrypted backup hard drive.

[[!toc levels=3]]

## Hardware
* [Western Digital My Book Essential 750 GB USB 2.0 Desktop External Hard Drive WDH1U7500N](http://www.amazon.com/gp/product/B000XRI034)
* Western Digital's page: <http://wdc.com/en/products/products.asp?driveid=771>

    kenyon@grunt ~ !9920 % sudo smartctl --all /dev/sdf
    smartctl 5.39 2009-12-09 r2995 [x86_64-unknown-linux-gnu] (local build)
    Copyright (C) 2002-9 by Bruce Allen, http://smartmontools.sourceforge.net

    === START OF INFORMATION SECTION ===
    Model Family:     Western Digital Caviar Green family
    Device Model:     WDC WD7500AACS-00D6B1
    Serial Number:    WD-WCAU42310983
    Firmware Version: 01.01A01
    User Capacity:    750,156,374,016 bytes
    Device is:        In smartctl database [for details use: -P show]
    ATA Version is:   8
    ATA Standard is:  Exact ATA specification draft version not indicated
    Local Time is:    Sun Jan 31 00:46:01 2010 PST
    SMART support is: Available - device has SMART capability.
    SMART support is: Enabled

    === START OF READ SMART DATA SECTION ===
    SMART overall-health self-assessment test result: PASSED

## Software
* Linux 2.6.32-5-amd64 #1 SMP Wed May 18 23:13:22 UTC 2011 x86_64 GNU/Linux
* Debian GNU/Linux squeeze
* Important packages: [[!debpkg dmsetup]], [[!debpkg cryptsetup]]

### Encryption
* cryptsetup 1.1.0-rc2

I did `sudo modprobe dm-mod dm-crypt aes` and added those modules to `/etc/modules`.

#### Creation
    sudo cryptsetup --verbose --verify-passphrase --key-size 256 luksFormat /dev/sdf1
    sudo cryptsetup --verbose luksOpen /dev/sdf1 bak

#### Use
Added to `/etc/fstab`:

    LABEL=bak       /bak            ext4    user,noatime,noauto 0   0

    sudo cryptsetup --verbose luksOpen /dev/sdf1 bak
    sudo mount /bak

Add entry to `/etc/crypttab`:

    bak UUID=4a69dabf-929e-4f71-ab71-a9823c9633a9 none luks,noauto

After making the `crypttab` entry:

    sudo cryptdisks_start bak && sudo mount /bak

### File system
#### Creation
After `sudo cryptsetup --verbose luksOpen /dev/sdf1 bak`, I did

    sudo mkfs.ext4 -v -L bak /dev/mapper/bak

#### Disconnecting
Before disconnecting the drive from the system, do this:

    sudo umount /bak && sudo cryptdisks_stop bak

### Backup
Run this script: `$MYGITREPO_DIR/sysadmin/hosts/grunt/external-backup`

[[!format sh """
#!/bin/sh
if mount -l -v -t ext4 | grep -q '/bak type ext4'
then
    echo "$(date)" >> /data/backups/external-backups.log
    exec sudo time rsync \
        --archive \
        --delete \
        --delete-excluded \
        --exclude=/data/backups/hourly.[1-9] \
        --exclude=/data/backups/daily.* \
        --exclude=/data/backups/weekly.* \
        --exclude=/data/backups/monthly.* \
        --exclude=/dev \
        --exclude=/media \
        --exclude=/mnt \
        --exclude=/proc \
        --exclude=/sys \
        --exclude=/tmp \
        --exclude=.cache \
        --exclude=.ccache \
        --exclude=Cache \
        --exclude=lost+found \
        --exclude=/var/cache \
        --exclude=/var/db/ccache \
        --exclude=/var/tmp \
        --fuzzy \
        --hard-links \
        --human-readable \
        --ignore-errors \
        --progress \
        --relative \
        --sparse \
        --stats \
        --verbose \
        /boot \
        /etc \
        /lib \
        /opt \
        /raptor \
        /root \
        /var \
        /data \
        /bak/grunt
else
    echo 'bak seems to not be mounted.'
    exit 1
fi
"""]]

## References
* cryptsetup, luks: <http://code.google.com/p/cryptsetup/>
* <http://www.debian-administration.org/article/Encrypting_an_existing_Debian_lenny_installation>
* <http://madduck.net/docs/cryptdisk/>

[[!tag Debian Linux]]