Aus immerda
Zur Navigation springen Zur Suche springen

Prepare Server for ssh-key-based backups

   useradd $BORG_USER
   for d in $BACKUPDIR /home/$BORG_USER/.ssh; do
     mkdir $d
     chown $BORG_USER $d
     chmod 0700 $d
   echo "command=\"cd $BACKUPDIR; borg serve --restrict-to-path $BACKUPDIR\",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAA...KEYFROMUSER" > $SSH_AUTH_FILE
   chmod 0600 $SSH_AUTH_FILE

As a user

Copy the following script and save it as

export BORG_RSH='ssh -i /home/localuser/.ssh/id_rsa_borg'

echoerr() { echo "$@" 1>&2; }

script_loc=$(dirname $0)
BORG_PASSPHRASE_FILE=$script_loc/$(basename $(readlink -f $0) .sh).pwd
if [ ! -f $BORG_PASSPHRASE_FILE ]; then
  echoerr "Backupkeyfile ${BORG_PASSPHRASE_FILE} does not exist! Aborting..."
  exit 1
BORG_LOCK_FILE=$script_loc/$(basename $(readlink -f $0) .sh).lock
if [ -f $BORG_LOCK_FILE ]; then
  pid=$(cat $BORG_LOCK_FILE)
  if [ -d /proc/$pid ]; then
    echo "Lokfile still exists, running pid: ${pid}"
    echo "Exiting"
    exit 0
    echoerr "Lockfile exists but no process running anymore... Continue to run...."
echo $$ > $BORG_LOCK_FILE
# Backup all of /home/localuser except some dirs
# and some compiled python scripts
borg create --stats                                 \
    $REPOSITORY::backup-`hostname`-`date +%Y-%m-%d` \
    /home/localuser                                 \
    --exclude=/home/localuser/\.Trash               \
    --exclude=/home/localuser/\.cache/              \
    --exclude=/home/localuser/\.gem/                \
    --exclude=/home/localuser/\.rvm/                \
    --exclude '*.pyc'

# Use the `prune` subcommand to maintain 7 daily, 4 weekly
# and 6 monthly archives.
# we want some output so we get informed
borg prune -v $REPOSITORY --keep-daily=7 --keep-weekly=4 --keep-monthly=6 -s --list

Adjust keyfile, repository and directories to backup.

Initialize repo:

   openssl rand -base64 32 > borg_backup.pwd # must have same basename as script and in same location
   chmod 0600 borg_backup.pwd 
   export BORG_RSH='ssh -i /home/localuser/.ssh/id_rsa_borg'
   export BORG_PASSPHRASE=$(cat borg_backup.pwd)
   borg init --encryption=keyfile

And now you're ready to run the backup script


And afterwards add it to a cronjob.

Backup your encryption key!

The keyfile mode that we use above to initialize the borg backup repository, encrypts the backup in such a way, that there is no keymaterial within the backup (contrary to the repokey mode). This means you not only need the passphrase but also the keyfile to get back access to your keyfile.

So you should backup this one as well, e.g. by storing it as an encrypted mail (if you have other means to access the encryption key for your emails than the backup!) or as a symmetric encrypted blob:

Export encrypted to your mail:

   borg key export $REPOSITORY /dev/stdout | gpg -a --encrypt-to --encrypt

Symmetric encryption to store as a blob (e.g. within your mailbox)

   borg key export $REPOSITORY /dev/stdout | gpg -a --symmetric --encrypt