Use case
Your site has a backup server running GNU/Linux where your backups reside. Periodically you wish to copy the latest set of backups onto an external disk to be stored off-site.Each disk is in a USB enclosure. There are at least two disks so that you have an off-site backup at all times. The disks are encrypted in case any are lost or stolen.
Configuring
This is based on EncryptedDeviceUsingLUKS.- Partition the external disk, but don't put a file system on it yet.
-
Get the serial number of the external hard disk, using
# udevinfo -a -p $(udevinfo -q path -n /dev/sde)
Replace /dev/sde with your disk's device name. -
Create a file /etc/udev/rules.d/50-cryptbak.rules and put a udev
rule in it to create a symlink /dev/bakker when the external disk
is plugged in. E.g.
KERNEL=="sd?1", ATTRS{serial}=="DEF10BBE1D0D", NAME="$kernel", \ SYMLINK+="bakker"where the serial number is the one you found in step 2. - Verify the symlink /dev/bakker appears when you plug in the external disk and disappears when you unplug the external disk.
-
With the drive plugged in, create an encypted block device with
# cryptsetup --verbose --verify-passphrase luksFormat /dev/sde1
where 'sde1' is the empty partition on the external disk. - Save the passphrase into /etc/diskparm.txt. Make sure only root may read it and that the file has no newline. Keep a copy of the passphrase somewhere safe.
-
Add to /etc/crypttab,
cryptbak /dev/bakker /etc/diskparm.txt luks
-
Run 'invoke-rc.d cryptdisks start cryptbak' to set up the block
device /dev/mapper/cryptbak. Create a filesystem on it with
# mkfs.ext2 /dev/mapper/cryptbak
-
Edit the udev rule in /etc/udev/rules.d/50-cryptbak.rules to
set up the block device whenever you plug the disk in.
KERNEL=="sd?1", ATTRS{serial}=="DEF10BBE1D0D", NAME="$kernel", \ SYMLINK+="bakker", \ RUN+="/usr/sbin/invoke-rc.d cryptdisks restart cryptbak" -
Create a mount point /media/cryptbak and add to /etc/fstab,
/dev/mapper/cryptbak /media/cryptbak ext2 user,noauto 0 0
Repeat 1, 2, 3, 4, 5, 8 and 9 for each additional external disk.
Usage
On plugging in the external disk, the following should happen:- udev creates a symlink /dev/bakker to the external disk's partition, e.g. /dev/sde1.
- udev calls cryptdisks to create the block device /dev/mapper/cryptbak.
$Conf{XferMethod} = 'archive';
$Conf{ArchiveDest} = '/media/cryptbak';
$Conf{ArchiveSplit} = 0;
$Conf{ArchiveComp} = 'gzip';
$Conf{ArchivePreUserCmd} = '/bin/mount /media/cryptbak';
$Conf{ArchivePostUserCmd} = '/bin/umount /media/cryptbak';
BackupPC will mount /dev/mapper/cryptbak on /media/cryptbak, perform the
archive, and unmount.
Bugs
178829: it's necessary to edit /lib/cryptsetup/cryptdisks.functions.186835: cryptdisks takes 3 minutes to set up the encrypted block device when called from udev.
