Endpoint Backups

Introduction

A good backup strategy will help you recover from a security incident quickly. Below are some backup procedures for Linux, macOS, and Windows clients that you may use to securely back up Virginia Tech endpoint systems.

Prerequisites

In all instructions below, you must have:

  1. A computer running one of the listed operating systems.
  2. Backup device such as a local hard drive, Amazon Web Services S3 Bucket, Microsoft Azure Blob Storage, file server, SSH server, etc.
  3. Restic Backup Software.

Procedures

The following procedures are written for Linux distributions. However, backing up and restoring files on a Windows or macOS client is almost identical to the procedures on Linux, with the main difference being the installation.

Additionally, Windows users may be interested in the Restic Backup for Windows Client blog post for instructions on automating Windows Restic backups. Please note that this is not official Restic documentation.

Restic Installation

Restic Installation Instructions

Debian, Ubuntu

$ sudo apt-get update
$ sudo apt-get install restic

Fedora

$ sudo dnf update
$ sudo dnf install restic

Initialize a Repository

After installation, you’ll need to prepare a repository, which is the location your backups will be saved to. Below are a few common repository locations; consult the restic documentation if you have require a different location or require further information.

Local

To create a repository at the location /srv/backup, run the following command.

$ restic init --repo /srv/backup

You will be prompted to enter a password for the repository, so create a password that is unique and secure. Restic will prompt you to re-enter the password to confirm.

$ restic init --repo /srv/backup  
enter password for new repository:   
enter password again:   
created restic repository 4ff40f86d1 at /srv/backup  

Please note that knowledge of your password is required to access  
the repository. Losing your password means that your data is  
irrecoverably lost.

Keep your password safe. If you lose your repository password, you lose access to your repository and the data in it. 

SFTP

To back up data via SFTP, you’ll need a server with SSH and set up SSH key authentication. This is done by copying your public key to the remote server.

Note: Replace username with your username on the remote server and remote-server with the server address.

$ ssh-copy-id username@remote-server

Then, to create a repository at the location /srv/backup on the remote server, run the following command.

$ restic init --repo sftp:username@remote-server:/srv/backup

Amazon S3

To back up data to an Amazon S3 bucket, first create the bucket on AWS and set up the following environment variables with the credentials obtained.

$ export AWS_ACCESS_KEY_ID=<MY_ACCESS_KEY>
$ export AWS_SECRET_ACCESS_KEY=<MY_SECRET_ACCESS_KEY>

Then, to create a repository at the bucket named backup, run the following command.

$ restic init --repo s3:s3.amazonaws.com/backup

If the bucket does not exist it will be created at the default location.

Back Up Files

For system level backups on Linux, it is recommended that the following directories be excluded from the backup:

  • /dev
  • /media
  • /mnt
  • /proc
  • /run
  • /sys
  • /tmp
  • /var/tmp

For explanations on what the directories above are, consult the Linux Filesystem Hierarchy Standard.

To create a backup (with the recommended exclusions), run the following command, replacing <repository> with the repository path used in the previous step.

$ restic backup / --exclude={/dev,/media,/mnt,/proc,/run,/sys,/tmp,/var/tmp} --repo <repository>

Note: Backing up the entire system may require root privileges. To avoid giving full permissions to restic, a user specifically for backups can be created with limited capabilities. See the restic documentation for steps and more info.

Example

Backing up the Documents directory in your home folder to a restic repository called /srv/backup looks like the following.

$ restic backup ~/Documents --repo /srv/backup

The string of numbers and letters after snapshot is the snapshot ID to use when restoring a backup.

Restore a Backup

To restore a backup, first display the list of available snapshots.

$ restic --repo <repository> snapshots

Once you’ve identified the snapshot ID to restore, run the following command, specifying the <target-location> as where the files are restored to.

$ restic --repo <repository> restore <snapshot ID> --target <target-location>

Alternatively, restore the latest backup using the keyword latest.

$ restic --repo <repository> restore latest --target <target-location>

To restore only a subset of files (/etc in this example), pass the --include flag.

$ restic --repo <repository> restore latest --target <target-location> --include /etc

Consult the restic documentation for more information.

Example

Restoring the snapshot created in the previous example to the location tmp/restore-work looks like the following.

$ restic -r /srv/restic-repo restore 09ea62f2 --target /tmp/restore-work
enter password for repository:
restoring <Snapshot of [/home/user/Documents] at 2015-05-08 21:40:19.884408621 +0200 CEST> to /tmp/restore-work

Other

If you have questions that are not covered in this procedure, please contact the Virginia Tech IT Security Office at itso@vt.edu for a consultation.

Resources