Backup Office Computers
This guide explains the recommended way to do backups for people working in the FSFE's office, so staff and interns. It can be useful for other groups as well but may require some modifications.
Currently, the programme we use to create backups is BorgBackup, often simply called borg. Its main features: great backup speed (even when using weak internet connections), space-efficiency, encryption by default, and clever ways for restoring data. It however lacks a stable graphical user interface so users are required to work on the command line for now. But don't be afraid: it is not hard!
The default setting for the backups is saving your home directory, so for example /home/LOCALUSER/ on your GNU/Linux computer. This is the place where all personal data and application configuration should be stored. Please refrain from storing important information outside of this directory – if you decide otherwise, make sure to include it in your backup schema.
Setup and Use
First, you will have to install the necessary software packages. Then, you need to configure access to the remote destination your backups will be stored in. Afterwards, you will setup the script which makes the backup really simple.
In this guide we assume your FSFE username is FSFEUSER. We also assume that LOCALUSER is the username on your computer. When following the guide please exchange them accordingly
Make sure to install the software in the list below using your package manager. It should be existent in most GNU/Linux distributions.
borgbackup or borg (depending on your operating system it may have different names)
Access remote backup storage
You will backup your files to a remote place. At the moment, this is a hard disk in the Berlin office but this might be subject to change in the future. In order to gain access to this space, you will have to set up a SSH key. Like a GnuPG key, this is a secure way to authenticate yourself.
Check whether you already have an SSH key: Type ls -al ~/.ssh in your GNU/Linux terminal. If id_rsa and id_rsa.pub appears, you already have a SSH key. If not, continue with step 2.
Generate a new SSH key by typing ssh-keygen -t rsa -b 4096 -C "FSFEUSER@fsfe.org". Omit typing in a password if you are sure that you can protect your SSH private key (it's like a house key!). If you set a password, consider using ssh-agent to avoid having to type in the SSH key's password each time you use it.
Ask the person having access to the backup server to create a user account on the backup storage for you. In order to do that, send an email with the id_rsa.pub file attached. As a reply, you should receive a remote username (which most likely is identical to FSFEUSER – if not, please use the given name for the rest of this guide) and a confirmation that you can continue. Before that, you unfortunately cannot continue with the next step.
Try to log in via your terminal with ssh FSFEUSER@fsfe-backup.fritz.box. Your SSH client will ask you to verify the server's SSH host key if it hasn't connected to it before. You should type 'yes' if you are sure you are in the FSFE's office network and copied everything correctly. After accepting and if no error is triggered, you will see that the terminal prompt (the text in front of the cursor) has changed – you are connected to the server! Type exit once to disconnect.
Set a backup password
Borg encrypts all your backups securely to protect your sensitive data. Therefore, their security heavily depends on the strength of your password and how well you protect it. If you lose the password, there is no way to recover your backups! This section will help you find a good password for borg, and how you can save it on your computer for (semi)-automated backups.
Finding a good password is hard, and there are many strategies. This famous XKCD comic suggests using combined words, but you can also use a password manager like pass or KeePass to auto-generate lots of loooong passwords protected with only one strong master password you have to remember. Whatever you choose for your backups, make sure you only use it for this purpose only and have a safe place to store it, even if your computer is stolen, burns to death, explodes or is kidnapped by evil aliens. Ask your colleagues and/or the internet for tipps.
For borg, it is recommended to store the password with a small command line application called pass on your computer. It encrypts passwords with your GnuPG key which you already should have set up when working for the FSFE. The commands below show a short way to set everything up, but please also consult pass' website for more information.
In your terminal, run pass init FSFEUSER@fsfe.org, using your @fsfe.org email address which is connected to your GPG key.
Run pass insert borg_backup. This will open a prompt asking for the password you have chose. Type/copy it and follow the instructions on the screen.
Afterwards, you can run pass to show all passwords in your local password store. pass show borg_backup should print the password you have chosen for borg. If this is the case, you can safely continue.
Create the borg repository
Now, you can initiate the borg repository. This only has to be done once.
In your terminal, type export BORG_PASSCOMMAND="pass show borg_backup". This will tell borg to use the password from pass and not ask you for it each time.
Run borg init --encryption=repokey ssh://FSFEUSER@fsfe-backup.fritz.box:22/~/Borg. The last part (starting with ssh://) will look different depending on your username. Ask the person controlling backups in the office for assistance here.
Download and run backup script
We have a script which makes it easy to semi-automate backups. Follow the instructions on this page to download and set it up.
Run a backup
If the script is set up, you can run the backup.
The process for all following backups is the same but they will take significantly less time. Depending on the speed of your network and the size of the your home directory, this could well take 1 hour or more, but perhaps also much less. Just plan enough time in advance.
In your terminal, run ~/bin/borg_backup.sh if you followed the recommendations of script setup. If you set up everything correctly, borg will not ask for a password and find the remote backup storage. Otherwise, please check everything carefull again.
After the backup has been finished, you can check the whole repository by running borg list ssh://FSFEUSER@fsfe-backup.fritz.box:22/~/Borg. In order to see more information about a single backup, run borg info ssh://FSFEUSER@fsfe-backup.fritz.box:22/~/Borg::computername-2019-02-12T14:50:23, while the backup name will be different. Consult the borg documentation for more helpful commands.
If you would like to learn more about borg, the different commands and useful parameters, please have a look at the borg documentation. It is well written and continuously maintained. Other resources might be the wikis of your GNU/Linux distributions, so for instance UbuntuUsers or the Arch Linux Wiki.
Setup on Backup Server
The backup server must provide ssh public key logins for each user.
The backup server in the Berlin office is a RaspberryPi model 1B+ running raspbian stretch. As storage device we use an external hard disk attached to the computer and running 24/7. It is mounted to /srv, and /home is a symlink to /srv. Backup users currently have full shell access. So if they store files in their remote home directory, it's stored automatically on this disk.
Creating a new user
Run useradd -m FSFEUSER. As user name, please use the FSFE user name to make it easy for this guide and overview.
Copy the new user's public SSH key to /home/FSFEUSER/.ssh/authorized_keys