Go to Top

riebart:

I shit you not, this is the offsite backup solution that I have put together for my work.

It is an old laptop, whose battery doesn’t work any more, and our DroboPro that I have no desire to keep around.

I have duct-taped them (literally) together along with a power bar and a network cable.

Anyone can take it home, plug it in, and everything is automatically backed up from our office to it in an encrypted fashion.

Technical Details

So from a logical arrangement, here’s how it breaks down:

  • The Drobo has in it eight 1TB drives with single-disk redundancy providing just over 6TiB of usable space.
  • The Drobo only supports a select few filesystems (NTFS, HFS+ and EXT3 being the big ones), and does NOT support full-volume encryption. I have opted to place EXT3 on it and host it to the laptop running Ubuntu 12.04.
  • The laptop mounts the Drobo and gets access to six 1TiB sparse files on it. Since the files are sparse, the blue-light storage capacity indicator on the front is still usable.
  • These files are then loopback mounted as block devices via losetup, using cryptoloop to offer AES encryption of the presented block devices.
  • ZFS-on-Linux is used to create a ZFS pool that spans the file-backed block devices. This results in a ZFS pool of about 6TiB of usable space whose data on the underlying disks is encrypted in a way that the Drobo won’t complain about.
  • Some bash shell scripts glue it all together:
  • One script perpetually calls home as an unprivileged user with two jobs: email me letting know that, for some reason, it had to reconnect, and to establish a port forward so that I can remote into the laptop without requiring that ports be forwarded to it. Because the underlying volumes are encrypted, whenever it reboots I need to manually remote in and enter the password to mount the encrypted volume. Storing the keys on the laptop is exceedingly dumb.
  • The other script checks that the ZFS pool is mounted properly, and then uses a private key stored on the pool (and thus is encrypted on the disks) to remote back to the office as a user with privileges to pull a backup across the internet. This backup process happens twice a day: once at 0130 and once at 1330 in order to be least obtrusive to internet connection of whoever is hosting this backup solution.

I am a little unhappy with how many layers of obfuscation were required, but it all boils down to working around the Drobo’s restrictions.

It comes home with me tonight and goes live!

I think this is brilliant…

(Reblogged from riebart)

Notes

  1. pachanka reblogged this from riebart and added:
    I think this is brilliant…
  2. riebart posted this