DIY Off-site encrypted backup with Raspberry Pi

slb   January 5, 2018   Comments Off on DIY Off-site encrypted backup with Raspberry Pi

While my day job often involves creating highly available enterprise storage products, I am more interested in building cheap solutions at home that can accomplish things only expensive products did a few years ago.  In this case, I need to backup all my personal files: financial, documents, family photos/videos, etc.   I’ve had few variants of this setup in the past, usually built on a PC or a laptop.  This time, I’m going to do it as tiny and low-cost as possible.

In general, if you want to backup some data, it’s probably important to you.  If it’s important, you want to make sure this backup copy doesn’t get lost also, if your main copy is lost.  Obviously, putting a copy on a USB drive and storing it in a shelf above your computer is not going to cut it.   A house break-in, fire, etc will knock out both copies.   At the same time, if your data is far away from you, it’s hard to control it.  A fire, or break-in could occur, or nefarious people could get to your data.

So I wanted something that is small, unassuming, can be stashed at another location such as another house, and was completely encrypted.   I want to make sure if I lose track of it, there’s basically no way to access the data, and it would be very difficult to even figure out what it had on it.

The hardware

rpibackup

I hit up amazon for the parts:  A Raspberry Pi 3, 32GB SDCard, Canakit power supply, a 2TB Laptop drive in a shiny aluminum case, and a very cool FLIRC matching aluminum case.   At the time, total cost was about $150.   The HDD is easily powered from the Raspberry Pi’s USB port, as long as you have a decent power-supply.   Stability is important, because if this thing locks up it’ll be hard to reboot it since it’ll be off site somewhere.

The Pi: https://www.amazon.com/gp/product/B01CMC50S0

A pretty backup drive: https://www.amazon.com/gp/product/B00FRHTTIA

A nice FLIRC Case: https://www.amazon.com/gp/product/B07349HT26

AC Adapter: https://www.amazon.com/gp/product/B00MARDJZ4

32GB SD Card: https://www.amazon.com/gp/product/B010Q57T02

The Software

For the OS, I went with the standard: Raspbian (Stretch).      As far as the rest of the software goes, the core components I used are:

RSnapshot: http://rsnapshot.org/

Tinc (VPN):  https://www.tinc-vpn.org/

CryptSetup/dm-crypt: https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt

Theory of operation

OK, so I didn’t write this as a cookbook or HowTo.  I also don’t want to be too specific about how it’s setup for security’s sake.  Essentially, the raspberry pi will boot, and phone home over VPN (tinc).  It doesn’t know how to unlock or mount the drive it has.   Once it has phoned home, I can then manually enter the encryption keys and mount the drive, which contains a set of scripts and keys for the backup to work.   It also has a set of scripts on the encrypted disk that can be used to setup and initialize a blank raspberry pi that is attached.  I’m assuming here the SDCard it runs can fail easily, or that the drive itself may be the only thing I can retrieve in the future.

In normal operation, everything is run on the raspberry pi itself.  If everything is mounted,  the backup process can run periodically and automatically, pulling all the data from various servers I have and storing it on the attached drive.  I could even have it backup data from various cloud providers. I don’t need to “push” data to the remote backup, it “pulls”.

This works great with rsnapshot, which as it pulls data uses rsync and hard links to keep multiple point-in-time copies of data.  This means I have a view of ALL my data today, yesterday, and every day for 14 days, as well as weeks and month snapshots.  The overall space utilization for my own uses is very low even with dozens of daily, weekly, monthly copies.   The reason is that my data doesn’t change much over time, I mostly add pictures and documents but I don’t rewrite things very often.

Summary

The end result is a tiny, low power, $150 2-Terabyte encrypted backup solution that can be placed just about anywhere there is internet connectivity.  It automatically backs up data on a set schedule, and can protect against either loss of my main computer, theft of the equipment, mistake in deleting the data, or other malicious attacks.  Alternatively, if it gets lost due to a similar situation at the remote site, no personal data is left out of my control.  The data itself, as well as the knowledge of how to run the backups, is entirely encrypted.  If the whole thing gets destroyed, it isn’t a huge loss either.  I’m assuming it’s far enough away that a house fire or theft won’t affect both sites at once.

This kind of feature set would have been very expensive less than ten years ago!   When you consider the cost of even the cheapest amazon backups (where you don’t have as much control over security and you pay monthly forever), it’s a great value.