thev.net

Snapshot-based Backup with Encryption

Prerequisite

A linux system with NILFS2 support including both the kernel module and userland utilities. NILFS2 is a log based file system that supports continuous snapshots. It has already been merged into the main tree of recent 2.6 kernels since 2.6.30-rc1.

Goal

  1. Use NILFS2 to make persistent snapshot of backups so that earlier versions can always be traced.
  2. The backup should be just a single file, for easy transportation.
  3. The volume shall be encrypted.

Setup

First, create an 16G image file suede.img, and set it up as a loopback device:

dd if=/dev/zero of=suede.img bs=1024M count=16
losetup /dev/loop0 suede.img

Then we use cryptsetup to setup a LUKS partition, and this requires the device mapper kernel module, which is found under Multi-volume support (LVM, etc):

modprobe dm-crypt
cryptsetup luksFormat /dev/loop0

It will prompt for a passphrase, and then setup the partition using default encryption cipher (aes-cbc-essiv:sha256) with this passphrase.

Finally we create a file system and mount it, where the luksOpen step will prompt for the passphrase in order to decrypt this partition:

cryptsetup luksOpen /dev/loop0 backup
mkfs -t nilfs2 -L VOLUMELABEL /dev/mapper/backup
mount /dev/mapper/backup /mnt/backup

The partition can later be unmounted like this:

umount /mnt/backup
cryptsetup luksClose backup
losetup -d /dev/loop0

Make a Snapshot

With the partition successfully mounted, we can backup the home directory like this:

rsync -aPq --delete /home/USERNAME /mnt/backup/

This will make sure the backup copy is exactly the same as the home directory. The we can make a snapshot by:

mkcp -s /dev/mapper/backup

Mount a Snapshot

The latest snapshot can always be accessed directly by going to the directories. To list all past snapshots, do:

lscp -s /dev/mapper/backup

To mount a past snapshot, do (replace CNO with an snapshot number):

mount -t nilfs2 -o cp=CNO,ro /dev/mapper/backup /mnt/tmp

Drawbacks

The major drawback is that this backup file is not resizable because NILFS2 isn’t, so this method is not the most scalable solution.

Also, rsync is kind of dumb. It doesn’t know that a file has been moved to a new place (which is only a directory change), so it will always create a new file in the new place (which involves extra data blocks). Consequently, NILFS2 will waste more space in between the snapshots. This is in general a problem with many backup solutions, and can only be solved at the file system or OS level.

Comments powered by Disqus