Securely backup files to cloud storage using tar, gnupg, rsync and cron

trystan · January 20, 2021, 6:21am

Introduction

I recently switched to vimwiki for notetaking and wanted to make an encrypted backup of my notes and came up with the following solution. I have since made use of this to backup various other files from my system.

I am not an expert so please feel free to suggest any improvements or corrections.

Requirements

Tar - GNU Project - Free Software Foundation
https://gnupg.org/
Cloud storage provider with a Linux sync client, currently I am making use of the free 2GB offered by Dropbox.

Creating a passphrase

First you will need a passphrase to use for your symmetric encryption. Create a text file containing this passphrase in the first line of the file and save it, I save mine as ~/.gnupg/backup-passphrase. It should be a long random string, I used bitwarden to create this and also save a copy of it there.

Once it is saved I changed the permissions of the file using

chmod 600 ~/.gnupg/backup-passphrase

Archiving and encrypting

I have created a short bash script which does the following

Creates an archive of the directory /home/trystan/vimwiki
Runs this archive through gzip (as text is highly compressible)
Pipes the output from tar to gpg
Encrypts the archive with AES-256 using the specified passphrase file
Saves the encrypted file to a local folder

#!/bin/bash
 tar -czf - \                                                                    
 /home/trystan/vimwiki | \                                                       
 gpg --yes --pinentry-mode loopback \                                            
 --symmetric --cipher-algo AES-256 \                                             
 --passphrase-file /home/trystan/.gnupg/backup-passphrase \                      
 --output /home/trystan/backup/vimwiki.tar.gz.gpg

Sync folder to cloud storage

This script is used to sync my local backup folder to the Dropbox folder.
I use the --checksum option to prevent rsync from copying the file if nothing has changed, as the local file will always have a newer timestamp. This should save bandwidth on uploading the same data.

#!/bin/bash
rsync --recursive --checksum /home/trystan/backup /home/trystan/Dropbox

Periodically run the scripts using cron

Make sure each script is executable using

chmod +x /path/to/script

Then add the following lines to your crontab replacing the paths to match your scripts.
This will execute the archive and rsync scripts every hour @ :00 and :02

0 * * * * /bin/bash /home/trystan/scripts/backup_vimwiki.sh                                                                             
2 * * * * /bin/bash /home/trystan/scripts/rsync_dropbox.sh

Summary

Using simple command line tools it is fairly easy to back up personal documents onto cloud storage with a trust no one approach. I have several scripts which backup different things, such as my dotfiles, documents folder etc. I would say this method is best suited for smaller files as it requires your documents to be encrypted every hour and there may be a high overhead if you have a very large folder containing video files for example.

pragomer · January 20, 2021, 8:05am

Hi,

its just a side note, but the 1st thing that came to my mind was, to replace dropbox with a provider for Nextcloud. You can get free accounts with for example 5GB.
That is what I would do in any case.

pragomer · January 20, 2021, 8:08am

And I would have the following question:

Does your TAR-archive get sychronized also “incrementally”, although it is encrypted? So, only the changes are uploaded?

Because: I work actually with AES encrypted 7z archives , with a size of e.g. 15GB, and I have to re-upload (via Nextcloud) this archive whenever I do a change. Although I have a fast internet, a more incremental solution would be better, i know…

trystan · January 20, 2021, 9:14am

No, unfortunately not. If even a small file is added to the archive the encrypted archive will look completely different.

marvkal · January 20, 2021, 11:29pm

You might want to check out rclone, so you don’t have to re upload the whole archive each time you change something. Supports encryption as well. Or something like encfs to encrypt the files in combination with your rsync script, and then sync the encrypted folder structure with Dropbox.

rwaltr · January 21, 2021, 5:01pm

Howdy @trystan, This is a nice write up for your first post! I would also recommend taking a look as Restic and Rclone as they can be combined together to do something similar. But sometimes it nice to play with the tools directly!