Provisional page: needs checking and expansion!
Introduction
Here we describe the procedure for taking full backups and restoring them.
Taking a full backup
- Connect a disk with USB.
- If it is not setup you should use the procedure to setup encrypted disk documented elsewhere.
- Mount the USB disk on /backupdisk:
# cryptsetup luksOpen /dev/sdX1 sdX1_crypt # mount /dev/mapper/sdX1_crypt /backupdisk
- Create a directory in /backupdisk with the following naming scheme:
<hostname>/<date>/
- For each filesystem (/boot, /) do the following:
# cd / && tar cd - --one-file-system <mountpoint> |\ gpg -r backup@cacert.org -e > \ /backupdisk/<hostname>/<date>/<ID>_<FS>.tar.gpg
- mountpoint: /boot or /
- hostname: the name of the host
- date: the current date in the format YYYY-MM-DD
- ID: A number (01 for / (root), 02 for /boot)
- FS: The filesystem name with the / replace by a -
- For the root filesystem use the name 'root' For example: /backupdisk/hlin/2008-10-03/00_root.tar.gpg and /backupdisk/hlin/2008-10-03/01_boot.tar.gpg and /backupdisk/hlin/2008-10-03/02_var-lib-mysql.tar.gpg
The keyid used for backups is: 0E1725CF <backup@cacert.org>
- [Optional] Verify the backup (see Verification procedure on next page).
- Unmount and disconnect the USB backup disk:
# umount /backupdisk # cryptsetup luksClose sdX1_crypt # eject /dev/sdX1
To use this procedure you need:
- the public gpg key (present in ~root/.gnugp/pubring.gpg)
- a prepared harddisk
- physical access to the machine
- a USB connection for the harddisk
- someone from secure-u to take the disk afterwards out of the datacenter and with them for storage
Verifying a full backup
This is best done directly after completion of the offsite backup procedure at the point [Optional] described above.
- Insert the USB stick with the private GPG key and mount it read-only on /mnt/keys.
Go to /backupdisk/<hostname>/<date>
- Run the following command:
for b in * do echo Verifying $b ... gpg --homedir /mnt/keys/gnupg -d $b | tar tvf - >>/tmp/KLAD done
- Inspect /tmp/KLAD for any anomalies.
- Unmount USB stick with the private GPG key and remove it.
- Go to /
Restoring a full backup
In case you use a live CD:
- Mount the new disk on /new
- Use encryption and so on! Mount the filesystems you want (for example /boot on the new disk) on their designated place in /new. (for example: /new/boot)
- Mount the backupdisk on /backupdisk
- Mount the USB stick with the private GPG key read-only on /mnt/keys
Go to /backupdisk/<hostname>/<date wanted>
- Run the following command:
for b in * do echo Extracting $b ... gpg --homedir /mnt/keys/gnupg -d $b | (cd /new && tar xvpf - ) done
- Install grub on the new disk
In order to use this procedure you need:
- The private GPG key on a USB stick
- The backup disks including encryption passwords
- Passwords for the new (encrypted) disk
- Common sense and 4 eyes!