I’ve had what I thought was a fairly good backup system for a while: I use rdiff-backup to synchronize all my computers onto a central machine with a large disk, then I copy that machine’s backups to an encrypted external USB drive. The external drive is only mounted during backups. I rotate through a couple of external drives and I keep the inactive drives in a safe place outside my house. Other than manually transporting a drive back and forth to my outside storage about once a week, all of this is automated. I thought this covered all the normal risks pretty well:
- I keep roughly 30 daily rdiff-backup increments, so individual machines are protected.
- The external drives protect against the backup machine failing.
- Keeping drives outside the house protects against fires, theft, or other major disasters that might take out the main backup computer and its external drive at the same time.
- Encrypting the external drives protects against the non-financial risks of me losing one when I’m carrying it back and forth.
- The external drives are normally not mounted except during a backup, which hopefully provides some protection against a potential ransomware infection.
All of that has been working great for a while. I’ve even tested restoring files a few times, so I know files are generally backed up correctly. After getting hit by a bcache bug during a Fedora 30 upgrade, I realized there was one major hole left: the backup scripts and keys needed to decrypt the external drives! Luckily, I was able to recover enough of the internal drive to decrypt my backups.
I have now made a separate backup of the backups user onto an encrypted DVD. This DVD can be decrypted and mounted in Cinnamon with no extra software (as long as I remember the password), so I’ll just keep a copy in my storage locker with the offsite external drives and hopefully not have any holes left.
Here is how I created the DVD:
# Make the image fill the entire DVD so people can't tell how
# much it contains by looking at the burned area.
truncate -s 4700000000 dvd.img
# Encrypt the image and create a mapping at /dev/mapper/dvdbackup
sudo cryptsetup luksFormat --cipher aes-xts-plain64 dvd.img
sudo cryptsetup luksOpen dvd.img dvdbackup
# DVDs always have 2048 byte sectors. We need to make the filesystem
# block size match in order to read it back from the disc later.
sudo mkudffs -b 2048 /dev/mapper/dvdbackup
sudo mount /dev/mapper/dvdbackup /mnt/backups
# Copy files to /mnt/backups
sudo umount /dev/mapper/dvdbackup
sudo cryptsetup luksClose /dev/mapper/dvdbackup
# Burn to a blank DVD
growisofs -dvd-compat -Z /dev/sr0=dvd.img
Once this is done, inserting the DVD pops up the normal encrypted disk dialog in Cinnamon. Entering the password mounts it like normal, and then I verified that all the files match the originals. Since the backup scripts and keys only change occasionally, I can keep this as a manual process. I have put a reminder on my calendar to re-check and/or re-create the DVDs twice a year just to make sure they don’t degrade in storage.