How To Backup Your NAS To An Encrypted Disk

Create a Backup Script on your NAS with Rsync

I let my NAS run a backup script daily to automate backups. The script runs to wake up the server, mount the encrypted partition and synchronize the files using Rsync before turning off the server again. This is great as the server is off unless it’s actively receiving a backup which saves a lot of power! There are a few steps to setup everything ready for this backup script to work.

  1. Setup passwordless sudo use on backup server
  2. Setup Wake On LAN (WOL) on backup server
  3. Add the ssh key for passwordless ssh login from NAS to backup server
  4. Set backup script to run daily on the NAS

Using SUDO With No Password Prompt

This step requires adding a single line of text in Ubuntu Server.

john@backup-server:~$ sudo visudo

Add the following line at the bottom of the file, replacing my username ‘john’ with your username.

john ALL=(ALL) NOPASSWD: ALL

Now you can sudo all you like without a password prompt, this is great as the script we will use will need sudo to mount the disk and shutdown the server.

Enable Wake On LAN (WOL) on the Backup Server

On my NAS I am running unRAID so these steps are somewhat specific to unRAID and can be easily adapted to other linux based NAS systems.

Most modern computers support WOL however it’s disabled by default. Some motherboards will have an option in the bios to enable it. For those that don’t there is a simple solution in Ubuntu.

Let’s find out what the interface name and mac address is by typing ‘ip a’.

john@backup-server:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 1t:5f:15:29:04:4i brd ff:ff:ff:ff:ff:ff
inet 192.168.40.18/24 brd 192.168.40.255 scope global enp2s0
valid_lft forever preferred_lft forever
inet6 fe80::1e6f:65ff:fe25:14a/64 scope link
valid_lft forever preferred_lft forever

My interface is enp2s0 here, note this down for following commands. Now let’s add a systemd file to make WOL enable every boot.

john@backup-server:~$ sudo nano /etc/systemd/system/wol.service

Paste the following in, modifying the interface to your interface name.

[Unit]
Description=Configure Wake On LAN

[Service]
Type=oneshot
ExecStart=/sbin/ethtool -s enp2s0 wol g

[Install]
WantedBy=basic.target

Make sure systemd is aware of the new service and run it.

john@backup-server:~$ sudo systemctl daemon-reload
john@backup-server:~$ sudo systemctl enable wol.service
john@backup-server:~$ sudo systemctl start wol.service

Here is a good time to stop and shutdown the server, then send a magic packet to wake it up and confirm it’s working as intended. If you’re using windows you can send a magic packet with this tool. You’ll need the mac address noted in a previous step. Press Ctrl-N to add new PC and put just the MAC and IP address in. Then right click and ‘Wake Up Selected Computers‘. Provided it wakes up you’re all set for using WOL. In the case of a power failure WOL may stop working so it’s a good idea to have the computer set in bios to automatically turn back on after power loss. This way you won’t lose access to the server and the server will only be on a matter of hours until the next daily backup tells it to shut down.

SSH Login From NAS Without a Password

The backup script will log in to the backup server from the NAS. Storing passwords as plain text isn’t ideal. I am storing a plain text password for unlocking the hard disk encryption however for SSH we won’t be storing the password in the script. We will add the SSH keys required to login to the backup server and make it so no password prompt comes up.

Generate a pair of authentication keys with no passphrase.

root@NAS:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:sdfDSFGsdfGsdfgdsfgDSfgSDfgSDfgDSfgsg root@NAS
The key's randomart image is:
+---[RSA 3072]----+
| .D ..o+.X*B==|
| o. ...oo@o=+=o|
| .C.o+ +o*o.o.. |
| o +. +.-.+d. |
|E . .. S. . |
| . |
| |
| |
| |
+----[SHA256]-----+

Now copy create a directory on the backup server to store the key. Change the username and address to suit your backup server and enter the password when prompted.

root@NAS:~$ ssh john@192.168.40.18 mkdir -p .ssh
john@192.168.40.18's password:
root@NAS:~$ cat .ssh/id_rsa.pub | ssh john@192.168.40.18 'cat >> .ssh/authorized_keys'
john@192.168.40.18's password:

Now test out SSH from the NAS to the backup server and you won’t get the password prompt anymore.

root@NasTechTic:~# ssh john@192.168.40.18
...
john@backup-server:~$

Create The Backup Script And Run It Daily

Download the Backup Script from my GitHub page here.

The flow with this script is the following:

  1. Wake up the backup server with a magic packet
  2. Wait until it can successfully ping the backup server
  3. Mount the encrypted disk
  4. Run Rsync comparing changes and synchronizing the disks
  5. Shutdown the server

Reading through comments you can fill in unique information for your setup such as server MAC address, server address, username, LUKS passphrase, backup path on NAS. To send a magic packet I am using ‘etherwake’, depending on your NAS it may have this package or another wake on lan package available and the script may need to be modified (just 1 line!) to suit you. On unRAID there is a plugin “Wake On Lan support’ that installs ‘etherwake’ automatically.

Make the file executable by setting the execute bit:

root@NAS:~$ chmod +x backup.sh

You can then run the script easily like this.

root@NAS:~$ ./backup.sh

When it’s working you will see output similar to this.

 

Automating Daily Backups with CRON

In unRAID there is a plugin called User Scripts which makes it easy to add a script and schedule it in a few clicks. Other NAS systems may have a similar feature already however here I will cover running it using CRON to be more system agnostic.

root@NAS:~# crontab -e

You can add the following line to crontab to run the script every day at 12 midnight.

0 0 * * * root /path/to/script/backup.sh

From this point you can move the server to the final location and do a test run to make sure it backs up without drama.

Next project, wall mounting it!

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply