Rsync to cloud storage for backups?

leebussy · December 19, 2018, 1:18pm

I fully understand I may be “looking at this wrong” so if I am please don’t hold back.

One of the things I am trying to do is “un-Google” myself; by that I mean I am tired of them knowing everything about me. However, it can’t be denied that Google provides service which is hard to match in terms of value and availability. I’ve read over some of the various discussions using Google as external storage - that’s not what I am talking about here.

I found this project: https://github.com/ncw/rclone which seems to be all about using cloud storage as an rsync target of sorts. The way I understand it, the files stored in Nextcloud are encrypted. If the keys are not backed up to the cloud, does this seem like a potential good way to have a safe backup?

Reiner_Nippes · December 19, 2018, 2:00pm

yes.

to make it better you can combine it with restic. restic takes care about the lifecycle of your backups since it is backup program, encrypts the files again, can use rclone as a target repo and is cool.

https://restic.readthedocs.io/en/latest/010_introduction.html

An example script:

#!/bin/bash

export RESTIC_REPOSITORY="/var/nc-backup"
export RESTIC_PASSWORD="EAtcVlENiC6TlMwH73X9PRfD17vsEEHI"

# abort entire script if any command fails
set -e

# Make sure nextcloud is enabled when we are done
trap "sudo -u www-data php /var/www/nextcloud/occ maintenance:mode --off" EXIT

# set nextcloud to maintenance mode
sudo -u www-data php /var/www/nextcloud/occ maintenance:mode --on

# backup the database
sudo docker exec -t postgres pg_dump -c -U postgres nextcloud | /usr/local/bin/restic backup --stdin --stdin-filename db_postgres_nextcloud.sql

# or in case of mysql
mysqldump --single-transaction -h localhost -u {{ nc_db_user }} -p{{ nc_db_passwd }} {{ nc_db }} | /usr/local/bin/restic backup --stdin --stdin-filename db_mysql_nextcloud.sql

# backup the data dir
/usr/local/bin/restic backup /var/nc-data

# backup the nextcloud dir
/usr/local/bin/restic backup /var/www/nextcloud

# turn maintenance mode off
sudo -u www-data php /var/www/nextcloud/occ maintenance:mode --off

# delete trap
trap "" EXIT

# clean up backup dir
/usr/local/bin/restic forget --keep-daily 7 --keep-weekly 5 --keep-monthly 12 --keep-yearly 75

tflidd · December 19, 2018, 2:25pm

If the encryption is good and has no flaws, the data should be useless for the cloud storage provider. However, in this case it is just as secure as your encryption key.

Reiner_Nippes · December 19, 2018, 3:12pm

where is the key stored and how to restore/decrypt the files if you don’t have a full backup?

leebussy · December 19, 2018, 11:22pm

data/<user>/files_encryption
Users’ private keys and all other keys necessary to decrypt the users’ files

data/files_encryption
private keys and all other keys necessary to decrypt the files stored on a system wide external storage

Ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/encryption_configuration.html

leebussy · December 19, 2018, 11:24pm

Thank you Reiner, I’ll give that a look.

F1r3b4ll · January 8, 2019, 2:31pm

To cleanup unreferenced data, the “prune” command must be run.