add contributions
[KenyonWiki.git] / Encrypted_backup.mdwn
1 Documentation on my encrypted backup hard drive.
2
3 [[!toc levels=3]]
4
5 ## Hardware
6 * [Western Digital My Book Essential 750 GB USB 2.0 Desktop External Hard Drive WDH1U7500N](http://www.amazon.com/gp/product/B000XRI034)
7 * Western Digital's page: <http://wdc.com/en/products/products.asp?driveid=771>
8
9     kenyon@grunt ~ !9920 % sudo smartctl --all /dev/sdf
10     smartctl 5.39 2009-12-09 r2995 [x86_64-unknown-linux-gnu] (local build)
11     Copyright (C) 2002-9 by Bruce Allen, http://smartmontools.sourceforge.net
12
13     === START OF INFORMATION SECTION ===
14     Model Family:     Western Digital Caviar Green family
15     Device Model:     WDC WD7500AACS-00D6B1
16     Serial Number:    WD-WCAU42310983
17     Firmware Version: 01.01A01
18     User Capacity:    750,156,374,016 bytes
19     Device is:        In smartctl database [for details use: -P show]
20     ATA Version is:   8
21     ATA Standard is:  Exact ATA specification draft version not indicated
22     Local Time is:    Sun Jan 31 00:46:01 2010 PST
23     SMART support is: Available - device has SMART capability.
24     SMART support is: Enabled
25
26     === START OF READ SMART DATA SECTION ===
27     SMART overall-health self-assessment test result: PASSED
28
29 ## Software
30 * Linux 2.6.32-5-amd64 #1 SMP Wed May 18 23:13:22 UTC 2011 x86_64 GNU/Linux
31 * Debian GNU/Linux squeeze
32 * Important packages: [[!debpkg dmsetup]], [[!debpkg cryptsetup]]
33
34 ### Encryption
35 * cryptsetup 1.1.0-rc2
36
37 I did `sudo modprobe dm-mod dm-crypt aes` and added those modules to `/etc/modules`.
38
39 #### Creation
40     sudo cryptsetup --verbose --verify-passphrase --key-size 256 luksFormat /dev/sdf1
41     sudo cryptsetup --verbose luksOpen /dev/sdf1 bak
42
43 #### Use
44 Added to `/etc/fstab`:
45
46     LABEL=bak       /bak            ext4    user,noatime,noauto 0   0
47
48     sudo cryptsetup --verbose luksOpen /dev/sdf1 bak
49     sudo mount /bak
50
51 Add entry to `/etc/crypttab`:
52
53     bak UUID=4a69dabf-929e-4f71-ab71-a9823c9633a9 none luks,noauto
54
55 After making the `crypttab` entry:
56
57     sudo cryptdisks_start bak && sudo mount /bak
58
59 ### File system
60 #### Creation
61 After `sudo cryptsetup --verbose luksOpen /dev/sdf1 bak`, I did
62
63     sudo mkfs.ext4 -v -L bak /dev/mapper/bak
64
65 #### Disconnecting
66 Before disconnecting the drive from the system, do this:
67
68     sudo umount /bak && sudo cryptdisks_stop bak
69
70 ### Backup
71 Run this script: `$MYGITREPO_DIR/sysadmin/hosts/grunt/external-backup`
72
73 [[!format sh """
74 #!/bin/sh
75 if mount -l -v -t ext4 | grep -q '/bak type ext4'
76 then
77     echo "$(date)" >> /data/backups/external-backups.log
78     exec sudo time rsync \
79         --archive \
80         --delete \
81         --delete-excluded \
82         --exclude=/data/backups/hourly.[1-9] \
83         --exclude=/data/backups/daily.* \
84         --exclude=/data/backups/weekly.* \
85         --exclude=/data/backups/monthly.* \
86         --exclude=/dev \
87         --exclude=/media \
88         --exclude=/mnt \
89         --exclude=/proc \
90         --exclude=/sys \
91         --exclude=/tmp \
92         --exclude=.cache \
93         --exclude=.ccache \
94         --exclude=Cache \
95         --exclude=lost+found \
96         --exclude=/var/cache \
97         --exclude=/var/db/ccache \
98         --exclude=/var/tmp \
99         --fuzzy \
100         --hard-links \
101         --human-readable \
102         --ignore-errors \
103         --progress \
104         --relative \
105         --sparse \
106         --stats \
107         --verbose \
108         /boot \
109         /etc \
110         /lib \
111         /opt \
112         /raptor \
113         /root \
114         /var \
115         /data \
116         /bak/grunt
117 else
118     echo 'bak seems to not be mounted.'
119     exit 1
120 fi
121 """]]
122
123 ## References
124 * cryptsetup, luks: <http://code.google.com/p/cryptsetup/>
125 * <http://www.debian-administration.org/article/Encrypting_an_existing_Debian_lenny_installation>
126 * <http://madduck.net/docs/cryptdisk/>
127
128 [[!tag Debian Linux]]