Backup strategy

The backup home for librti scripts and files is /opt/librti.

The folder, file folder and all subdirectories should be owned by root:sudo. This will allow all users to view and modify the files using appropriate sudo commands.

Backups are done using tar and encrypted using gpg. A 32 bit passphrase is generated for each server.

On the server, generate the passphrase.

$ openssl rand -hex 32 > enc.key

The command to encrypt files, and thus to be used in scripts, is thus

#/bin/bash
datum=`/bin/date +%Y%m%d-%H`
ENCRYPTIONKEY=`cat /opt/librti/ssl/enc.key`
tar czvpf - --exclude='^#' --verbatim-files-from -T /opt/librti/filelist.txt | \
gpg -c --batch --yes -z 0 --cipher-algo AES256 -o /opt/librti/backups/$HOSTNAME-${datum}.librti --passphrase-fd 9s 9< <(printf '%s' "$ENCRYPTIONKEY") -

To decrypt

$ gpg --batch --yes --passphrase <phrase from enc.key> -o outputfile.tar.gz -d inputfile.librti

Connecting to Wasabi storage

$ sudo apt-get install s3cmd python3 python3-boto3

After install, set up the connection.

$ s3cmd --configure

Enter in the access and secret key. When prompted for region

us-east-1

For the S3 endpoint

s3.wasabisys.com

Buckets are provisioned on the wasabi side (Roman did this first time).

%(bucket)s.s3.wasabisys.com

Provide an encryption key. Store it in the vault. The path to gpg should be default. Use HTTPS. Leave the proxy blank.

Test the connection. It should work.

View files on the s3 bucket

$ s3cmd la

This will also tell us the bucket name.

Send a file to the s3 storage

$ s3cmd put /path/to/file s3://<bucket_name>

Recursively send all files in a folder

$ s3cmd sync --acl-private --recursive --skip-existing --multipart-chunk-size-mb=256 /path/to/files/ s3://<bucket-name>