What are your backup routines?

anon42499160 · June 14, 2024, 8:36pm

Hi,

I am currently replanning my backup routine and just wanted to hear what your routines are.

I am currently thinking about using 1tb usb stick (it supports 1gb reading, 900mb writing) and a micro sd card (also 1tb, never thought these little things can store so much!) as a second backup.

What do you think about my plan? And again: What are your backup routines (How often do you create backups, what hardware do you use, etc.)?

solene · June 14, 2024, 9:17pm

Hi

backup often
test your backup
always have a local backup locally and a remote backup
make sure you can use your remote backup if the computer + local backup are destroyed/lost

alimirjamali · June 14, 2024, 9:22pm

Usually follow 3-2-1 backup strategy. i.e.:

It states that there should be at least 3 copies of the data, stored on 2 different types of storage media, and one copy should be kept offsite, in a remote location (this can include cloud storage)

Follow a backup rotation scheme if you have more than 1 stick or in enterprise environments.

Differential backups for more frequent backups, incremental backups for less frequent backups. Full backups for archival (e.g. yearly).

solene · June 14, 2024, 9:55pm

modern backup software combine differential backup by only saving what changed between two backups, and full backups as every snapshots are atomic and contain everything

tannerlambert · June 15, 2024, 12:52am

I have a list of directories for each VM that I want to backup. For example for “the trusted browser”, that would be /home/user/.config/chromium, for “coding” (a standalone VM) thats /home/user, for “matrix” thats /home/user/.config/matrix and so on.

I create tar.gz archives of those dirs with a script. Backing up the whole VM doesn’t make sense to me, as building a new VM (cloning debian minimal, installing apt packages, creating an appvm) kind of takes the same amount of time it would to restore a whole image plus minus a few seconds.

I kind of treat my qubes like a throw away system. The only thing that matters is the backup + the setup scripts. I can wipe the luks header and other than the installation of qubes itself and downloading the debian minimal template, the restore doesnt take much time (I use apt-cacher-ng).

I kind of dream of a fully automated install for qubes OS, like what you do with preseeding for debian… Does that exist? LIke something to preseed all the questions you have during the install, maybe with the exception of the luks password.

apparatus · June 15, 2024, 4:40am

github.com

Qubes-Community/Contents/blob/fd9649928d48ff62cbbbc4e019d81a1d7ee7a122/docs/hardware/Autonomous Qubes-install (kickstart).md



## Note - Doc not finished yet! ##
This doc is reaching toward completion, however, has some errors that need correction first, as well as missing additions.

To-do:
- Fix kickstart template, it has a couple of issues, like creating user account creation that does conflict with first-boot, Qubes's initial-setup.
- Include template variants (for example to illustrate how they are modified, but this is a low-priority to-do).
- Sorting and including/excluding the proper packages that are recommended or optional (recommended packages are high priority, optional packages are low priority).
- Completting the sections that mention "may be included in the future" found a few places in the doc.
- Fixing bad tips, advices or KS-template layouts (proof-reading, requires extra study/read-up (must be done before official Qubes doc PR summit), or help from someone with insight).
- Fixing poor explanations (proof-reading).
- Fixing typo's and spelling errors, grammer etc, (proof-reading).
- Any feedback or contributions, like helping toward finishing the to-do, is very welcome and appreciated.


## Introduction ##
The purpose of kickstart files is to install an operation system from start to end with less, or no human interaction at all. A kickstart file is therefore essentially a pre-configuration of any settings you may normally need to adjust during a normal Linux install. Here you may find instructions on how to get started with Qubes OS and kickstart files.

In order to avoid confusion, please note that the use of the wording kickstarter template does not refer to Qubes templates, but rather a simple configuration file, which when loaded will semi or fully Autonomously install Qubes (or fedora/redhat/cent).

This file has been truncated. show original

leo493 · June 15, 2024, 6:29am

Can you recommend a software? I believe there’s just a standard software that is the FOSS and most people in the Linux Community use it.

leo493 · June 15, 2024, 6:43am

May I add something.

Use trees.

I have trees of all my backups. Any new backup, even before filtering it (i.e. removing any duplicate in it,) I run the tree command on it. I actually run two tree commands: one I call it “simple” and the other one “complex”… Basically, that way, if I had to only have cloud backups (for example, lost the local ones,) and I can’t download everything, I can download only the trees which will then give me the ability to know which part should I download from the cloud backups so I can have the file I’m looking for.

The “simple” is tree -a, and the “complex” is tree -ahD --du. When I’m looking for a file name, I look in the “simple” trees. When I’m looking for information about a file that I have its name, I look in the “complex” trees.

solene · June 15, 2024, 7:52am

The most common are borgbackup and restic. However if you want to backup qubes, I can only recommend ANN: Wyng incremental backup, new version! which was tailored for efficient backups of disk volumes or disk images.

or my hack to use the official Qubes OS backup tool and pipe its backup to restic/borg to benefit from compress/deduplication instead of having to save the whole qubes every time.

adw · June 16, 2024, 4:52am

Qubes has its own built-in backup tool, which is documented here:

This may or may not meet your needs. If it does, then it’s a simple and secure solution that doesn’t require you to install any third-party tools.

If you choose to use a different tool, make sure you’re aware of the security properties you may be giving up. (For example, Qubes backups feature authenticated encryption, which most DIY backup schemes do not. This is what allows you to securely restore from a backup without dom0 being compromised.)

evers51 · June 20, 2024, 8:28pm

May I ask a question? I’m really frustrated! Restic, for example, doesn’t allow creating backups without passwords. Same goes to MEGA: “We do end-to-end encryption! Yaay!”, or Sync: “We’re the most private and secure on the planet! Yaay!”.

I mean, seriously, do I misunderstand something? Why won’t I just encrypt my backups my self using gpg -c after creating backups with Restic, or before uploading to MEGA or Sync or so? Why would I ever not do that? I mean, I think I can even rely and be more rest-assured with my gpg -c than Restic, and than MEGA and Sync and everything else!

Why won’t I just create an anonymous account and upload files that I encrypted them my self using gpg -c to Sync? And then, if Sync is “The least private and secure on the planet! Yaay!” it will never matter, because I’m private anyway and secure anyway? (Disregarding the problems with Terms of Service regarding anonymous accounts or so. Just an example.)

Is this all really because: “most of people aren’t “advanced” enough”? MEGA, for example, is really famous with “We end-to-end encrypt for you for free! Hahaha! We’re good!”. Do they really do all of that because people didn’t take 5 minutes to know how to use gpg -c? It’s not only MEGA or Sync, it’s many more those are also happy and being proud that they “encrypt stuff”, for example, Proton Drive. Why won’t I just “encrypt stuff” my self?

I’m sorry that I may be asking this here and it’s not the place, but I really don’t know other places. Besides that I believe Qubes OS people are most likely the most security savvies out there! And this is related to this topic as well.

solene · June 20, 2024, 9:16pm

restic uses a specific storage format using a lot of files, how would you encrypt them all with gpg?

XMachina · June 20, 2024, 9:38pm

To add, I keep a minimal backup on a USB flash drive. I keep the latest signed ISOs for Qubes, Debian, and Tails, and then I backup specific files from dom0 and my vaultVM. I keep the ISOs on a public partition and the rest on an encrypted partition:

Tails for when I need to work in something extremely sensitive where really only an amnesiac environment like Tails would work. Ex.: highly sensitive, trusted files,
Debian for a quick Linux environment, and for fixing Qubes. IMO, this is a faster, cleaner environment for fixing Qubes than the ISO if you know how to work with encrypted LVM,
Qubes for reinstalls and edge cases,
VaultVM for passwords and sensitive documents I may need,
Dotfiles (and other things) from dom0, mainly to get an environment that I’m comfortable with in case of reinstall.

This, obviously, is not my whole routine, but it has proven valuable as a minimal working environment in a pinch for recovery and emergencies, especially for fixing Qubes when I do something stupid and it breaks. YMMV, but I’ve found it to be useful.

evers51 · June 21, 2024, 6:04pm

Isn’t it right that restic stores all the backups (all the important stuff) in the repository directory?

tar cz my-restic-repo | gpg --cipher-algo AES256 -o my-restic-repo-encrypted.tar.gz.gpg -c, then rm -rf my-restic-repo when succeeds. Won’t that effectively encrypt my repository? (Assuming my-restic-repo is the repository directory.)

And then whenever I want the repository to use it: gpg -d my-restic-repo-encrypted.tar.gz.gpg | tar xz. Isn’t that right? What will I lose if I just didn’t set a password while creating the restic, if I did that? (it doesn’t allow me, but say I just entered one letter.)

It’s stated on the Restic documentation, on the Encryption section: “The design might not be perfect, but it’s good.” That’s why I’m thinking gpg to be more secure or so.

There’s no problem at all that I use a complex password while setting the restic repository, as restic wants, and depend on it, and I believe I’ll be secure. But I just want to understand.

Please, please tell me, you’ve really made me worried! What do I misunderstand? I’m really using the gpg -c way to encrypt a lot of things and depend on it to protect them!

OvalZero · June 22, 2024, 10:27am

How did you come to the conclusion?

restic docs — empty password/zero key