Radical Server Unit/3.Treffen
aus Metalab Wiki, dem offenen Zentrum für meta-disziplinäre Magier und technisch-kreative Enthusiasten.
Zur Navigation springenZur Suche springenNächstes Thema: "Selber Housing" - Rechner selbst aufsetzen
Andere Themen bzw. Themenvorschläge
Radical Server Unit - Backups - 2016-05-31
Weitere Dinge die Du Dir ansehen kannst:
Unix, Linux, BSD, OS X, command line tools, scripts:
- rsync(1) - man rsync
- scp(1) - man scp
- sftp(1) - man sftp
- dump(8)/restore(8)
- dd(1) - man dd
- rsnapshot
- arkeia
- amanda
- bacula
- unison
- duplicity
- borg backup
- git annex
- ZFS(8) send
- bup or. attic
- Another Backup Tool Overview is also available at archwiki
borg backup
Talk auf der Gulaschprogrammiernacht 2016
OS X Utilities
- Build-In: Time Machine (Kann verschlüsselte Backups anlegen, muß aber angehakt werden.)
- 3rd Party solutions for File Backups
- Arq: https://www.arqbackup.com/ (Verschlüsselte Backups via SFTP, S3, etc.)
- Chronosync: http://www.econtechnologies.com/chronosync/overview.html
- mlbackup (rsync wrapper speziell für OS X) https://maclemon.at/downloads/
- 3rd Party Solutions for full bootable disk clones
- Carbon Copy Cloner: https://bombich.com/ (verschlüsselte, bootfähige Clones)
- SuperDuper: http://www.shirt-pocket.com/SuperDuper/SuperDuperDescription.html
Android (Rooted)
- Titanium Backup
- rsync/rsync
- BackupPC Android-"Client"
iOS
- iTunes (bei OS X dabei, unbedingt "verschlüsselt" anhaken.
- Nicht zu empfehlen, auch wenns komfortabel ist
- Apple iCloud (Sind IMMER plaintext, können auch nicht verschlüsselt werden)
Duplicity Backups made easy
Duplicity Provides encrpted and incremental backups for Linux, *BSD, OSX. Uses librsync, gpg, tar, bzip, sftp,....
- First of all we will set up ssh config locally so we can reference our Host for the backups as "backup-host"
- Generate a SSH-Keypair for connecting to the host with ssh-keygen (see man for details)
- Choose between a basic setup or chrooted sftp only users for maximum paranoia.
- If you want chrooted sftp only users on your sshd add/modify your servers ssh config according to "Server side for CHROOTED USERS"
- If you do not want changerooted users serverside, skip step 3)
- Pick a Duplicity Command from below based on your requirements. Examples are provided for encryption with either passphrase or GPG Public Key. Make sure you choose your example based on sftp vs normal user on the server.
SSH Client side config
Host backup-host HostName backup-host.example.com Port 22 User BACKUP-USERNAME IdentityFile /home/localuser/.ssh/id_rsa
GPG key for only home (run as user) -non chroot
Before first run:
gpg --recv-keys GPG_key
Run/do Backups
duplicity /home/USERNAME/ \ --encrypt-key GPG_KEY \ --full-if-older-than 12M \ --asynchronous-upload \ --exclude /home/USERNAME_LOCAL/.cache \ --exclude /home/USERNAME_LOCAL/Downloads \ --exclude /home/USERNAME_LOCAL/.wine \ --exclude /home/USERNAME_LOCAL/.VirtualBox \ --exclude /home/USERNAME_LOCAL/.gvfs \ --exclude /home/USERNAME_LOCAL/.kvm \ sftp://backup-host/home/BACKUP-USERNAME/2015
Passphrase key for only home (run as user) -non chroot
export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________ duplicity /home/USERNAME/ \ --encrypt-key GPG_KEY \ --full-if-older-than 12M \ --asynchronous-upload \ --exclude /home/USERNAME_LOCAL/.cache \ --exclude /home/USERNAME_LOCAL/Downloads \ --exclude /home/USERNAME_LOCAL/.wine \ --exclude /home/USERNAME_LOCAL/.VirtualBox \ --exclude /home/USERNAME_LOCAL/.gvfs \ --exclude /home/USERNAME_LOCAL/.kvm \ sftp://backup-host/home/BACKUP-USERNAME/2015 unset PASSPHRASE
Server side for CHROOTED USERS
add the group sftp_users
add to /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/AUTH-KEYS-USERS/%u
Match group sftp_users ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no AllowAgentForwarding no PermitTunnel no PermitTTY no X11Forwarding no
make directory for client public keys in /etc/sshd
mkdir -p /etc/ssh/AUTH-KEYS-USERS/
add a new user for the sftp only access and add him sftp user group
nano /etc/ssh/AUTH-KEYS-USERS/__username___ chown -R __username___:sftp_users /etc/ssh/AUTH-KEYS-USERS/__username___ chown root:root /home/__username___
Passphrase for only home (run as user)
export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________ duplicity /home/USERNAME/ \ --full-if-older-than 12M \ --asynchronous-upload \ --exclude /home/USERNAME_LOCAL/.cache \ --exclude /home/USERNAME_LOCAL/Downloads \ --exclude /home/USERNAME_LOCAL/.wine \ --exclude /home/USERNAME_LOCAL/.VirtualBox \ --exclude /home/USERNAME_LOCAL/.gvfs \ --exclude /home/USERNAME_LOCAL/.kvm \ sftp://backup-host/2016 unset PASSPHRASE
Passphrase for all files (run as root)
export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________ duplicity / \ --full-if-older-than 12M \ --asynchronous-upload \ --volsize 500 \ --exclude /dev \ --exclude /media \ --exclude /mnt \ --exclude /proc \ --exclude /run \ --exclude /sys \ --exclude /tmp \ --exclude /home/USERNAME_LOCAL/.cache \ --exclude /home/USERNAME_LOCAL/Downloads \ --exclude /home/USERNAME_LOCAL/.wine \ --exclude /home/USERNAME_LOCAL/.VirtualBox \ --exclude /home/USERNAME_LOCAL/.gvfs \ --exclude /home/USERNAME_LOCAL/.kvm \ sftp://backup-host/2016 unset PASSPHRASE
GPG key for only home (run as user)
Before first run:
gpg --recv-keys GPG_key
do backups:
duplicity /home/USERNAME/ \ --encrypt-key GPG_KEY \ --full-if-older-than 12M \ --asynchronous-upload \ --exclude /home/USERNAME_LOCAL/.cache \ --exclude /home/USERNAME_LOCAL/Downloads \ --exclude /home/USERNAME_LOCAL/.wine \ --exclude /home/USERNAME_LOCAL/.VirtualBox \ --exclude /home/USERNAME_LOCAL/.gvfs \ --exclude /home/USERNAME_LOCAL/.kvm \ sftp://backup-host/2016