When implementing mutual offsite backups between two home servers, the fundamental security requirement is clear: data stored on your peer's server must remain encrypted and inaccessible to the host system. Traditional rsync transfers don't natively handle this encryption layer, but we can architect a solution using Linux's built-in cryptographic tools.
The most robust approach involves creating an encrypted container on the external drive using LUKS (Linux Unified Key Setup). Here's how to implement it:
# On your local machine (before sending the drive to your friend)
sudo cryptsetup luksFormat /dev/sdX1
sudo cryptsetup open /dev/sdX1 backup_volume
sudo mkfs.ext4 /dev/mapper/backup_volume
sudo mount /dev/mapper/backup_volume /mnt/encrypted_backup
The transfer process requires combining rsync with SSH for secure authentication and transport encryption:
#!/bin/bash
PASSPHRASE="your_strong_passphrase"
REMOTE_USER="backupuser"
REMOTE_HOST="friend.example.com"
REMOTE_PORT="22"
MOUNT_POINT="/mnt/encrypted_backup"
# Mount the encrypted volume remotely via SSH
ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_HOST \
"echo $PASSPHRASE | sudo cryptsetup open /dev/sdX1 backup_volume && \
sudo mount /dev/mapper/backup_volume $MOUNT_POINT"
# Perform the encrypted rsync transfer
rsync -avz -e "ssh -p $REMOTE_PORT" \
--progress --delete \
/local/backup/path/ \
$REMOTE_USER@$REMOTE_HOST:$MOUNT_POINT/
# Unmount after completion
ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_HOST \
"sudo umount $MOUNT_POINT && sudo cryptsetup close backup_volume"
For better security than plaintext passphrases in scripts:
- Use SSH key-based authentication exclusively
- Store the LUKS passphrase in a local GPG-encrypted file
- Implement a mechanism for periodic passphrase rotation
For systems where LUKS isn't feasible, consider encrypting before transfer:
tar cz /local/data | gpg -c --passphrase "yourpass" --batch \
| ssh user@remote "cat > /remote/backup/encrypted.tar.gz.gpg"
Automate the process with a secure cron job:
# In /etc/crontab
0 3 * * * backupuser /usr/local/bin/secure_backup.sh >> /var/log/secure_backup.log 2>&1
When setting up reciprocal backup systems between geographically separated locations, we face two critical requirements:
- Efficient delta transfers (rsync's strength)
- End-to-end encryption (for data confidentiality)
The optimal solution combines rsync's efficient file transfer with Linux Unified Key Setup (LUKS) encryption:
# Create encrypted volume on external drive
sudo cryptsetup luksFormat /dev/sdX
sudo cryptsetup open /dev/sdX encrypted_backup
sudo mkfs.ext4 /dev/mapper/encrypted_backupCreate a mount script that handles passphrase input:
#!/bin/bash
# /usr/local/bin/mount_encrypted.sh
DEVICE="/dev/sdX"
MOUNT_POINT="/mnt/remote_backup"
echo "Enter passphrase:"
read -s PASSPHRASE
echo "$PASSPHRASE" | cryptsetup luksOpen $DEVICE encrypted_backup -d -
mount /dev/mapper/encrypted_backup $MOUNT_POINTCombine with SSH for transport encryption:
rsync -avz --delete -e "ssh -i /path/to/ssh_key" \
/path/to/local/data user@remote_host:/mnt/remote_backup/For scheduled backups, use keyfiles instead of interactive passphrases:
# Create keyfile
dd if=/dev/urandom of=/root/backup.keyfile bs=1024 count=4
chmod 0400 /root/backup.keyfile
# Add keyfile to LUKS
cryptsetup luksAddKey /dev/sdX /root/backup.keyfile
# Auto-mount in /etc/crypttab
encrypted_backup /dev/sdX /root/backup.keyfile luksImplement checks to ensure backups complete successfully:
#!/bin/bash
if mountpoint -q /mnt/remote_backup; then
rsync -avz --delete /local/path /mnt/remote_backup/
if [ $? -eq 0 ]; then
logger "Remote backup completed successfully"
else
logger "Remote backup failed!"
fi
else
logger "Encrypted volume not mounted!"
fiFor additional security, encrypt files before rsync:
# Create encrypted tar archive
tar cz /path/to/data | openssl enc -aes-256-cbc -salt -out backup.tar.gz.enc
# Transfer encrypted file
rsync -avz -e ssh backup.tar.gz.enc user@remote:/backups/