Backup Office Computers
This guide explains the recommended way to do backups for people working in the FSFE's office, so staff and interns. It can be useful for other groups as well but may require some modifications.
Currently, the programme we use to create backups is BorgBackup, often simply called borg. Its main features: great backup speed (even when using weak internet connections), space-efficiency, encryption by default, and clever ways for restoring data. It however lacks a stable graphical user interface so users are required to work on the command line for now. But don't be afraid: it is not hard!
The default setting for the backups is saving your home directory, so for example /home/LOCALUSER/ on your GNU/Linux computer, which is equivalent with ~. This is the place where all personal data and application configuration should be stored. Please refrain from storing important information outside of this directory – if you decide otherwise, make sure to include it in your backup schema.
First, you will have to install the necessary software packages and think of a strong password. Then, you need to configure access to the remote destination your backups will be stored in. Afterwards, you will setup the script which makes the backup really simple.
In this guide we assume that your FSFE user name is FSFEUSER. Make sure to replace this throughout the guide accordingly.
Make sure to install the software in the list below using your package manager. It should be existent in most GNU/Linux distributions.
borgbackup or borg (depending on your operating system it may have different names)
Set a backup password
Borg encrypts all your backups securely to protect your sensitive data. Therefore, their security heavily depends on the strength of your password and how well you protect it. If you lose the password, there is no way to recover your backups! This section will help you find a good password for borg, and how you can save it on your computer for (semi)-automated backups.
Finding a good password is not trivial, and there are many strategies. This famous XKCD comic suggests using combined words, but you can also use a password manager like pass, KeePass, or KeePassXC to auto-generate lots of loooong passwords protected with only one strong master password you have to remember. Whatever you choose for your backups, make sure you only use it for this purpose only and have a safe place to store it, even if your computer is stolen, burns to death, explodes or is kidnapped by evil aliens. Ask your colleagues and/or the internet for tipps.
Again, it is crucial that your password is securely stored somewhere else then on your work computer. You can only restore the backup with this password!
Create SSH key
You will backup your files to a remote place. In order to gain access to this space, you will have to set up a SSH key. Like a GnuPG key, this is a secure way to authenticate yourself.
Check whether you already have an SSH key: Type ls -al ~/.ssh in your GNU/Linux terminal. If id_rsa and id_rsa.pub appears, you already have a SSH key. If not, continue with step 2.
Generate a new SSH key by typing ssh-keygen -t rsa -b 4096 -C "FSFEUSER@fsfe.org". Omit typing in a password if you are sure that you can protect your SSH private key (it's like a house key!). If you set a password, consider using ssh-agent to avoid having to type in the SSH key's password each time you use it.
Request backup storage creation
Now it is time to create the remote backup storage. This is handled by our System Hackers.
Send an email to email@example.com asking for the backup store. Provide the following information:
- Which folders would you like to have stored in your backup? By default, we save the whole home directory, but you can provide more if necessary
Attach your public SSH key id_rsa.pub. You will find it in ~/.ssh/. Make sure to send the file suffixed with .pub, the other one is your private key!
You can only continue with the next step as soon as you have received a reply.
Configure the backup
In the reply, you will receive a configuration file for borgmatic. Borgmatic is a so-called wrapper for borg which makes initialisation and creation of backups easier for you. Let us configure borgmatic once:
Save the file config.yml in the directory ~/.config/borgmatic/
Open the file and replace <REPLACE_WITH_PASSWORD> with the strong password you have chosen before
Now, you can initiate the borg repository. This only has to be done once.
Open a terminal and run the following command: borgmatic -I -e repokey-blake2
You will see something like The authenticity of host 'a3p79bh3.repo.borgbase.com (22.214.171.124)' can't be established.. Type yes to confirm.
- Then, you will see some information about your borg version and security considerations. If you see something completely different, reply back to the System Hacker you had contact with.
Run a backup
Now you are set to run your first backup. Since you will send it to a remote server, it can take quite some time. In the Berlin office, an initial backup of 10 GB might well take ~1 hour. But all following backups will be much faster and a matter of a few minutes.
The following command creates a backup. You will see some progress and information about the running and finished backup. If it's finished, the last lines of the output will indicate clearly whether it has been successful or not.
borgmatic --create --progress --stats
If you would like to learn more about borg, the different commands and useful parameters, please have a look at the borg documentation. It is well written and continuously maintained. Other resources might be the wikis of your GNU/Linux distributions, so for instance UbuntuUsers or the Arch Linux Wiki.
The perspective of the System Hackers is explained here.