Backup Hardware – Disks

You are here:
< All Topics

The Linux kernel supports software RAID devices and encryption.

Creating RAID devices

Using RAID 1 or mirroring. Two disks of the same size. Prepare your partitions and mark them with the type code FD. This code marks the partitions as Linux RAID autodetect and allows the system to activate them at boot time.

#fdisk -l /dev/sd?

Disk /dev/sda: 3.64 TiB, 4000787030016 bytes, 7814037168 sectors
Disk model: EFRX-68WT0N0    
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: gpt
Disk identifier: 61145122-451F-5B41-81EE-DEF0A4AC3ADF

Device     Start        End    Sectors  Size Type
/dev/sda1  65536 7814037134 7813971599  3.6T Linux RAID


Disk /dev/sdb: 3.64 TiB, 4000785948160 bytes, 7814035055 sectors
Disk model: EFRX-68WT0N0    
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: gpt
Disk identifier: CC703CA3-28CD-6C4D-8BE2-EC579014DD43

Device     Start        End    Sectors  Size Type
/dev/sdb1  65536 7814035021 7813969486  3.6T Linux RAID

I chose /dev/sda1 and /dev/sdb1. Use the mdadm tool create the RAID;

#sudo mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1

After pressing enter the kernel creates the device and starts synchronising the blocks. You can check the progress of this operation by looking into /proc/mdstat. This file gives you status of all RAID devices in the system.

#cat /proc/mdstat
Personalities : [raid1] 
md1 : active raid1 sdb1[1] sda1[0]
      3906852608 blocks super 1.2 [2/2] [UU]
      [>....................]  resync =  0.4% (17084992/3906852608) finish=442.6min speed=146458K/sec
      bitmap: 30/30 pages [120KB], 65536KB chunk

unused devices: <none>

Encrypting the Block Devices

Our tool of choice will be cryptsetup for enabling encryption.

# sudo apt install cryptsetup

Overwrite the disks with random bit patterns. The easiest way to do this is by using dd.

# dd if=/dev/urandom of=/dev/md1

This can take several hours. After your disks have been overwritten with random garbage you can encrypt them.

# cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/md1

The commands above initialise the devices for use with the AES algorithm. The key length is 256 bit, and we use a method called ESSIV or E(Sector|Salt) in order to avoid weaknesses in the choice of initial values for the encryption algorithm.

De-encryt and mount

You have to do some steps to activate and mount the encrypted volume. cryptsetup will ask you once per RAID device for your passphrase.

# Unlock the device
# cryptsetup luksOpen /dev/md1 data

# mount the drives
sudo mount -t ext4 -o defaults /dev/mapper/data /mnt/

#verify
$ sudo blkid -o list
device               fs_type   label      mount point              UUID
-------------------------------------------------------------------------------------------------------
/dev/sda1            linux_raid_member pithos:1 (in use)           90473b74-9ff1-d3d0-4294-a5823767f730
/dev/mmcblk0p1       vfat      boot       /boot                    E183-6233
/dev/mmcblk0p2       ext4      rootfs     /                        1232a209-2596-48f0-a078-731d10b918ad
/dev/sdb1            linux_raid_member pithos:1 (in use)           90473b74-9ff1-d3d0-4294-a5823767f730
/dev/md1             crypto_LUKS          (in use)                 378d2563-7d55-42e0-91b6-6f2c9fa1841f
/dev/mapper/data     ext4                 /mnt                     028fd117-e35d-47c5-9804-0c425cf620b9

Enable Samba and to use the drive;

sudo systemctl start smbd.service
sudo systemctl start avahi-daemon.service

The shutdown sequence is the reverse order.

# unmount and close.
$ umount /mnt/data
$ cryptsetup luksClose data

Notes

# https://www.cyberciti.biz/security/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/
# https://linuxgazette.net/140/pfeiffer.html

sudo apt install cryptsetup

#encrypt device
cryptsetup -y -v luksFormat /dev/sda1
#cryptsetup -y -v --type luks2 luksFormat /dev/sdc

# dencrypt the drives
cat keyfile | cryptsetup luksOpen /dev/md1 data
#cat keyfile | cryptsetup -d - -v luksFormat /dev/sda1 data
#cat keyfile | cryptsetup -d - -v luksFormat /dev/sda2 backup
# Verify
sudo blkid -o list
# create a filesystem i.e. format filesystem, enter:
mkfs.ext4 /dev/mapper/data


# mount the drives
sudo mount -t ext4 -o defaults /dev/mapper/data /mnt/data
mount -t ext4 -o defaults /dev/mapper/backup /mnt/backup
#verify
allen@pithos:~$ sudo blkid -o list
device                 fs_type   label      mount point                UUID
-----------------------------------------------------------------------------------------------------------
/dev/mmcblk0p1         vfat      boot       /boot                      E183-6233
/dev/mmcblk0p2         ext4      rootfs     /                          1232a209-2596-48f0-a078-731d10b918ad
/dev/sda1              crypto_LUKS          (in use)                   9fbdc2c1-1ab6-4ace-94f6-d125ba40865d
/dev/sda2              crypto_LUKS          (in use)                   4b34fcae-3c5a-4070-a83e-9ce7d9be4ae3
/dev/mapper/data       ext4                 /mnt/data                  42a07bea-d8aa-4f8b-9ee9-e30da87b27f6
/dev/mapper/backup     ext4                 /mnt/backup                56fc744d-14c7-4b38-bbb4-e78962085823

# un mount and close.
umount /mnt/data
cryptsetup luksClose data


# So to mount the volume
sudo blkid -o list
cat keyfile | cryptsetup luksOpen /dev/sda1 data
sudo mount -t ext4 -o defaults /dev/mapper/data /mnt/data

# NFS Server
sudo apt-get install nfs-kernel-server -y

# NFS exports exporting from /mnt/data/nfsshare
sudo chown -R pi:users /mnt/data/nfsshare/
sudo find /mnt/data/nfsshare/ -type d -exec chmod 755 {} \;
sudo find /mnt/data/nfsshare/ -type f -exec chmod 644 {} \;

# /ect/exports
/mnt/data/nfsshare *(rw,all_squash,insecure,async,no_subtree_check,anonuid=1000,anongid=100)

# then reload
sudo exportfs -ra

# mount from client
sudo apt install nfs-common 
mkdir /mnt/data
# drwxrwxr-x root users
showmount -e pithos
sudo mount -t nfs -o proto=tcp,port=2049 pithos:/mnt/data/nfsshare /mnt/data

# Mac client
mount -t nfs -o vers=4 pithos:/mnt/data/nfsshare ~/NFSMNT

#AFP
sudo apt install netatalk
sudo nano /etc/netatalk/afp.conf

[Homes]
  basedir regex = /home
[Backup]
  path = /mnt/data/backup
  time machine = true

sudo systemctl restart netatalk

# Install Samba
sudo apt-get install samba avahi-daemon

# Time Machine backup
sudo adduser timemachine
sudo smbpasswd -a timemachine
sudo chown -R timemachine: /mnt/backup 

# Configure samba
sudo nano /etc/samba/smb.conf

# adding
[backups]
    comment = Backups
    path = /mnt/backup
    valid users = timemachine
    read only = no
    vfs objects = catia fruit streams_xattr
    fruit:time machine = yes
    
 #Verify
 sudo testparm -s   
 sudo service smbd reload
 
 # connecrt from Machine
 smb://192.168.1.150/backups

Next Config Notes
Table of Contents