Mastodon Mastodon Mastodon Systeemkabouter blog – How Systeemkabouter handles his data backups

How Systeemkabouter handles his data backups

Posted on wo 24 februari 2021 in backup

This is not any sort of recommentation for anyone. It is my way of documenting the setup and maybe giving someone else a hint or idea how personal backup strategy might look like. As it is, it should provide adequate safeguards against the loss of the main storage or a ransomware attack.

Main ingredients

Network attached storage

My wife and I share a storage unit / NAS. She is a photographer and produces quite some data. We want to store all her work in RAW format indefinitly and we want it to be reasonable safe. A couple of years ago I was in the market for a network attached storage device that would allow for two things: snapshotting and checksumming of data. So something ZFS or BTRFS based.

Synology volume

At the time Synology had just introduced a new series of devices that supported BTRFS. It seemed like a good option to me.

This NAS at this time is equipped with four 8TB drives in RAID6. This is a lot of overhead, and too much for our needs in retrospect, but not something you easily change later. BTRFS already had measures against data corruption so a RAID5 setup would have been great too.

This is configured as a single colume giving us something like 14TB storage. Right now we consume something like 6-7 TB. The volume had folders/shares. Depending on the type of data a folder/share may have the following safety features configured:

  • data encryption at rest
  • dropbox like sync to laptops
  • rsync backup to attic
  • cloudsync backup to Germany
  • scheduled snapshots

The files we use daily are stored in shares that we sync with our laptops using drive sync. Combined with the snapshots on the NAS, this data is now reasonably save. The shares that store data for my own company have encryption at rest configured, making the contents safe from physical theft of the NAS.

Other files (like the raw photos) are accessed over the network directly. These shares have a snapshot schedule too. Using the snapshots we can easily recover things if we make a boo boo. The snapshots also secure us from ransomware attacks on the laptops.

Offsite backup

Offsite backup has always been on my list, the first ever offsite backup I had was using a Sun Sparcstation 5 running at my fathers house as a rsync target.

Nowadays I rely on a rented storage box from Hetzner.de. This is a device where you can set up your own unprivileged accounts and access the box via various file protocols. I rely on webdav for connectivity. Using the Synology CloudSync application I configured tasks to sync various smaller shares to this storage box. The filedata is encrypted before it is send over. This leaves us with most of our data above sea level somewhere in Germany.

Storagebox snapshots

The storage box itself allows for snapshots. It is configured for weekly snapshots, holding on to a sane amount of them. I figured the chances of any ransomware infecting both the Synology and this storage box would be rather slim. At least as long as no-one is actually targetting us. This should be good enough to recover most of our data in the event of ransomware or the loss of the main storage and our personal devices.

All of our document shares and all the developed photo material, both personal and professional, is sent off to Germany this way.

There was one issue with this solution: it is rather costly. Or, it is rather costly if you have any real data size. Right now we rent a box with 1-2 TB capacity, which is totally reasonably priced. But storing about 5-8 TB of data would set us back about 40 euros a month. I checked other things like Google, but pricing is about the same.

This is where part three comes in:

Somewhat offsite backup

One of the 8TB disks in the SYnology was starting to show bad sectors and was already out of warranty. I replaced it, leaving me with a somewhat unreliable disk. I figured I have nothing to lose adding this disk as an extra backup option. So I took a leftover Raspberry PI 3, got an external disk enclosure and set up Ubuntu on the PI. I taped it together and set it up on the attic as a cheap 8TB size backup target. The disk was formatted as a BTRFS filesystem.

Raspberry Pi attic

The synology now runs a custom scheduled task to push all current data to this device over rsync/ssh. I tried doing the reverse: pulling the data from the raspberry pi, but the rsync implementation in the synology is too non-standard / weird for that to work nicely. This job runs twice a week and stores all the things, including the RAW photo data my wifes stores. Before the job runs, I let the Raspberry PI snapshot the backup filesystem, adding an extra layer of safety. Ajeto!

Laptop backups

Next to all the measures above, we also run timemachine on all the macbooks. This is not for data recovery perse, mostly to get back system state if a device should fail or be lost. But it does include a copy of a lot of our data. The Linux laptop has something going with duplicity, a nice GPG encrypted backup option. This is stored on the synology.

Macos Timemachine