Aléas numériques

Linux, infosec and whatever crosses my mind.


» Backups with Kopia and Backblaze B2

Configure Backblaze

First, we’ll need to create a bucket to store our files:

Note that I do not enable the Default Encryption as the files will already be encrypted with kopia.

Next, in order for kopia to access the freshly created bucket, we will need applications keys:

You’ll then be prompted with the following informations:

Do not lost your application key as it cannot be retrieved!

Create a repository

According to the doc, the syntax to create a B2 repository is the following:

$ kopia repository create b2 \
        --bucket=... \
        --key-id=... \
        --key=...

where:

  • bucket is the name of the bucket you created;
  • key-id is the keyID generated in Backblaze;
  • key is the applicationKey also created in Backblaze.

You’ll be prompted to enter a password. This is the password that will be used to encrypt and decrypt your files! Make it strong and do not lost it, otherwise you will no longer be able to recover your data. If you need some inspiration about how to generate secure passwords, check my blog post on this topic.

$ kopia repository create b2 --bucket=fedora-workstation --key-id=${KEY_ID?} --key=${KEY?}
Enter password to create new repository: 
Re-enter password for verification: 
Initializing repository with:
  block hash:          BLAKE2B-256-128
  encryption:          AES256-GCM-HMAC-SHA256
  splitter:            DYNAMIC-4M-BUZHASH
Connected to repository.

[...]

Retention:
  Annual snapshots:                 3   (defined for this target)
  Monthly snapshots:               24   (defined for this target)
  Weekly snapshots:                 4   (defined for this target)
  Daily snapshots:                  7   (defined for this target)
  Hourly snapshots:                48   (defined for this target)
  Latest snapshots:                10   (defined for this target)
  Ignore identical snapshots:   false   (defined for this target)
Compression disabled.

Next, to ensure that everything worked well and to validate that kopia is compatible with the provider (it should!):

$ kopia repository validate-provider
Validating storage capacity and usage
[...]
Running concurrency test for 30s...
All good.
Cleaning up temporary data...

Update the default policy

We saw earlier in the kopia repository create command that there is no compression enabled in the default policy. Let’s change that:

$ kopia policy set --global --compression=zstd
Setting policy for (global)
 - setting compression algorithm to zstd

Create and recover snapshots

We have everything set up properly, so let’s create our first snapshot. Everything I want to backup is located in my $HOME/Documents folder:

$ kopia snapshot create $HOME/Documents/
Snapshotting hugo@fedora:/home/hugo/Documents ...
 * 0 hashing, 7 hashed (2.7 MB), 0 cached (0 B), uploaded 197 B, estimated 2.7 MB (100.0%) 0s left
Created snapshot with root kd2cc8099bad67f252ff1fe47ab16714c and ID 83d80921629b6f5fcab080557093125d in 4s

Once we did our first snapshop, we must ensure that we can recover the data properly. First, we can list the snapshots to grab the ID:

$ kopia snapshot list $HOME/Documents/
hugo@fedora:/home/hugo/Documents
  2023-06-26 09:49:42 CEST kd2cc8099bad67f252ff1fe47ab16714c 2.7 MB drwxr-xr-x files:7 dirs:6 (latest-1,hourly-1,daily-1,weekly-1,monthly-1,annual-1)

Next we can mount it:

$ kopia mount kd2cc8099bad67f252ff1fe47ab16714c
Mounted 'kd2cc8099bad67f252ff1fe47ab16714c' on /tmp/kopia-mount2596949004

And in another terminal, we can go the mounted directory to see our files:

$ ls -l /tmp/kopia-mount2596949004/
total 2660
drwxr-xr-x. 1 hugo hugo 2722601 Jun 24 16:00 work

\o/

Automation

Of course, we will not do our backups manually. So let’s create a shell script that we be executed in a cronjob:

#/bin/bash

set -eu

KEY=... # applicationKey
KEY_ID=... # keyID
PASSWORD=... # password

printf "trying to connect to repository..."
kopia repository connect b2 \
    --bucket fedora-workstation \
    --key-id=${KEY_ID} \
    --key=${KEY} \
    --password="${PASSWORD}"

if [ "$?" -ne 0 ]; then
    printf "cannot connect to repository"
    exit 1
fi

printf "attempting to create snapshot..."
kopia snapshot create /home/hugo/Documents

if [ "$?" -ne 0 ]; then
    printf "cannot create snapshot"
    exit 2
fi

printf "disconnecting..."
kopia repository disconnect

if [ "$?" -ne 0 ]; then
    printf "cannot disconnect to repository"
    exit 3
fi

printf "done\n"

printf "cleaning variables..."
unset KEY_ID
unset KEY
unset PASSWORD
printf "done\n"

And do not forget to make this script executable with chmod.

I want this script to run each day at noon (because I’m almost sure that the laptop will be powered on every day at this time):

$ crontab -l
0 12 * * * /home/hugo/bin/kopia-backup.sh

To be sure that our cronjob worked, we can wait until the specified time and try to check if a new _log_... file has been created on the bucket: