Well I mentioned before I hadn’t really given a lot of thought to backups; I had basically been going into the provided tool sporadically and doing them.
I finally gave it a closer look last night, and I’m about halfway through with doing the following:
I made a list of all of my VMs and divided them into several classes: Templates I can’t readily recreate, templates I can readily recreate, system stuff (i.e., all the networking qubes, sys-usb, and also the stuff I wrote for split veracrypt), and finally my App VMs. (And incidentally, there’s overlap in these classes as described…so if it’s one of the system stuff qubes, I exclude it from the other classes). Oh, and dom0 which must be handled with a bit of care.
I basically turned my list into a script to run a separate backup for each, saving a profile. (Then I found out the profiles live in /etc/qubes/backup and they are readily editable.)
The documentation for backup (i.e., man qvm-backup) implies that it’s possible to run backup from some other VM, but if so you must use a profile. That’s true…but only after you muck with the policies in /etc/qubes/policy.d. But I want to be able to run from another VM, so I did just that. [Note: Before someone admonishes me: Yes, I did this in a lower-numbered copy of the official file.]
So now, with profiles created, I can put scripts on a dedicated Backup VM that will invoke the backup with the profile, then rename the backup file to have the profile name as a suffix. That way, by eye, I can tell exactly what kind of backup it is. [I just realized as I was typing this, that one could tell by putting backups into different folders by type, obviating the need to run the backup from the destination VM. So I might want to do that instead and unmuck my policies!]
So at this point, I can create a cron job, which: starts the backup VM, mount the storage device to it, then does qvm-runs to fire off a backup of the appropriate profile. That will require scripts resident on the backup VM.
I can also create a profile that backs up, literally, the ONE AppVM I which really needs to be backed up every dang day, as opposed to all of them, which I want to back up less frequently, and put that in the cron job.
So: Now I have a schema that will work automatically, and back up the bare minimum every night; I can supplementally back up other things either regularly with less frequent cron jobs, or manually, as I realize “Oh, I just did a lot in such-and-such-app-vm, I should back it up.” I can either add it to the incremental profile and let it get swept up that night, or just do it right now. Or decide to run the profile to back up ALL AppVMs.
The point is you can set up profiles in whatever way makes sense to you, and have them back up at different times, at different intervals.