Provisional page: needs checking and expansion! === Introduction === Here we describe the procedure for taking full backups and restoring them. === Taking a full backup === 1. Connect a disk with USB. If it is not setup you should use the procedure to setup encrypted disk documented elsewhere. 1. Mount the USB disk on /backupdisk: {{{ # cryptsetup luksOpen /dev/sdX1 sdX1_crypt # mount /dev/mapper/sdX1_crypt /backupdisk }}} 1. Create a directory in /backupdisk with the following naming scheme: // 1. For each filesystem (/boot, /) do the following: {{{ # cd / && tar cd - --one-file-system |\ gpg -r backup@cacert.org -e > \ /backupdisk///_.tar.gpg }}} * mountpoint: /boot or / * hostname: the name of the host * date: the current date in the format YYYY-MM-DD * ID: A number (01 for / (root), 02 for /boot) * FS: The filesystem name with the / replace by a - For the root filesystem use the name 'root' For example: /backupdisk/hlin/2008-10-03/00_root.tar.gpg and /backupdisk/hlin/2008-10-03/01_boot.tar.gpg and /backupdisk/hlin/2008-10-03/02_var-lib-mysql.tar.gpg The keyid used for backups is: 0E1725CF 1. [Optional] Verify the backup (see Verification procedure on next page). 1. Unmount and disconnect the USB backup disk: {{{ # umount /backupdisk # cryptsetup luksClose sdX1_crypt # eject /dev/sdX1 }}} To use this procedure you need: * the public gpg key (present in ~root/.gnugp/pubring.gpg) * a prepared harddisk * physical access to the machine * a USB connection for the harddisk * someone from secure-u to take the disk afterwards out of the datacenter and with them for storage === Verifying a full backup === This is best done directly after completion of the offsite backup procedure at the point [Optional] described above. 1. Insert the USB stick with the private GPG key and mount it read-only on /mnt/keys. 1. Go to /backupdisk// 1. Run the following command: {{{ for b in * do echo Verifying $b ... gpg --homedir /mnt/keys/gnupg -d $b | tar tvf - >>/tmp/KLAD done }}} 1. Inspect /tmp/KLAD for any anomalies. 1. Unmount USB stick with the private GPG key and remove it. 1. Go to / === Restoring a full backup === In case you use a live CD: 1. Mount the new disk on /new Use encryption and so on! Mount the filesystems you want (for example /boot on the new disk) on their designated place in /new. (for example: /new/boot) 1. Mount the backupdisk on /backupdisk 1. Mount the USB stick with the private GPG key read-only on /mnt/keys 1. Go to /backupdisk// 1. Run the following command: {{{ for b in * do echo Extracting $b ... gpg --homedir /mnt/keys/gnupg -d $b | (cd /new && tar xvpf - ) done }}} 1. Install grub on the new disk In order to use this procedure you need: * The private GPG key on a USB stick * The backup disks including encryption passwords * Passwords for the new (encrypted) disk * Common sense and 4 eyes! === Remarks === ---- CategoryProcedures