Don't want to see articles from a certain category? When logged in, go to your User Settings and adjust your feed in the Content Preferences section where you can block tags!
Nextcloud backup solution
Page: 1/2»
  Go to:
omicron-b Dec 12, 2020
I'm planning to move my Nextcloud from a VPS to a home server next year, so I would like to have an opinion here on backup solution, since it's risky to keep only physical backup, and on my setup in general.

Here's a plan:
1) Nextcloud server on Ubuntu 20.04, LUKS disk encryption + ZFS
2) weekly backup to home PC
3) once a year backup to HDD that I would keep in a storage room, not at home
4) once a year take a snapshot, pipe to gzip, encrypt and backup to S3 Glacier storage (which is pretty cheap)

- Are there any improvements you can propose?
- I would like my home server to be able to boot automatically if power goes down briefly, I tried to save a decryption key into initrams to achieve that and it works, but that renders encryption pretty useless. Is there a way to only decrypt and boot when some kind of USB key is present?
Maybe I should encrypt only data partition and write some bash to read USB, mount data partition, then start nginx, php, etc.?

Thanks!
PublicNuisance Dec 12, 2020
Quoting: omicron-bI'm planning to move my Nextcloud from a VPS to a home server next year, so I would like to have an opinion here on backup solution, since it's risky to keep only physical backup, and on my setup in general.

Here's a plan:
1) Nextcloud server on Ubuntu 20.04, LUKS disk encryption + ZFS
2) weekly backup to home PC
3) once a year backup to HDD that I would keep in a storage room, not at home
4) once a year take a snapshot, pipe to gzip, encrypt and backup to S3 Glacier storage (which is pretty cheap)

- Are there any improvements you can propose?
- I would like my home server to be able to boot automatically if power goes down briefly, I tried to save a decryption key into initrams to achieve that and it works, but that renders encryption pretty useless. Is there a way to only decrypt and boot when some kind of USB key is present?
Maybe I should encrypt only data partition and write some bash to read USB, mount data partition, then start nginx, php, etc.?

Thanks!

That's pretty similar to my backup routine so I can't fault much. I have Nextcloud for non sensitive data that is on a Trisquel machine using LUKS and ZFS. I use Back in Time for daily snapshots; do a weekly manual backup; and monthly clone images to a physical drive which is kept in a fire proof safe. Would a Librem key work for your USB option ? I don't know a lot about them but I think they deal with having encyrption keys on USB.

https://puri.sm/products/librem-key/
damarrin Dec 12, 2020
You need a UPS obviously so it doesn't go down.

I have Nextcloud in a VM on Proxmox. If I need to start/restart it remotely, I connect with OpenVPN and then SSH into the VM or use Proxmox's web gui.
Julius Dec 12, 2020
Also look into FreeNAS (or now TrueNAS Core after their rebrand). Its FreeBSD based, but if you just plan to run Nextcloud on the system, it offers a really convenient plugin for it. ZFS 2.0 support is also much better than on Linux right now.
omicron-b Dec 12, 2020
Quoting: PublicNuisanceWould a Librem key work for your USB option ? I don't know a lot about them but I think they deal with having encyrption keys on USB.

https://puri.sm/products/librem-key/

Thanks, great tip!
Actually, this gave me a simpler and cheaper idea: USB drive with a boot partition and grub.
The steps would look like:
1) Install Ubuntu with separate unencrypted /boot (default when you select full disk encryption)
2) Create a decryption key for LUKS partition and keep it on that LUKS partition, generate initramfs with that key
3) Copy grub and boot to a USB drive
4) Test booting from USB drive
5) Delete grub and boot from server, overwrite free space with zeroes

In case you break or loose the key, you still have the passphrase to unlock the disk.
damarrin Dec 12, 2020
I’d say security is seriously lessened if the usb key is permanently stuck into the computer it’s supposed to be booting.
denyasis Dec 12, 2020
Agreed. I'd say if you want some form of automation so the system comes up on it's own, full disk encryption would seem to be moot.

What is the purpose of the encryption? Like what are you wanting to do?

Either you need manual intervention to unlock the encryption on boot, or you'd need the keys initramfs usb to boot, etc.

Maybe instead of full disk encryption run by the root, perhaps move the encryption toward user space?
I know NextCloud has an encryption module built in. Would something like that work?
omicron-b Dec 12, 2020
Quoting: damarrinI’d say security is seriously lessened if the usb key is permanently stuck into the computer it’s supposed to be booting.
I agree.

So far 3 use cases for that kind of encryption (USB key always in):
1) The disk is bad, I want to replace it. No need to worry about data on a bad disk.
2) Police comes in without any good reason and wants to seize all my digital devices.
Take out and lose the USB key and shutdown the server.
3) I'm moving and want to leave my server with a 3rd party for a while

Quoting: denyasisI know NextCloud has an encryption module built in. Would something like that work?
I looked into that, and they only have a manual for enabling server-side encryption, zero-access encryption is also declared but I did not find any manual on that.
damarrin Dec 12, 2020
Police would probably seize everything, if you manage to take out the key then cool. If they take the server out, it'll be turned off anyway.

A thief might leave the usb key, or break it as they're running off with your hardware.

I still think just typing in a password on boot is most sensible. Unless you're treating this as a learning exercise, in which case go right ahead and describe your experiences somewhere online for posterity. :-)
Arehandoro Dec 12, 2020
Quoting: omicron-b2) Police comes in without any good reason and wants to seize all my digital devices.
Take out and lose the USB key and shutdown the server.

If you have backups in AWS Glacier the police doesn't need to seize your devices at all, they'll know you have an AWS account if you're onto something and AWS are obliged to give them your data.

As for the backups, I run NC in docker in a PC with RAID 10 and drive encryption at home. With rsync I upload incrementally the content each night to Backblaze -cheaper than Glacier- when the network is pretty much unused.

So far has been a quite solid solution.
omicron-b Dec 13, 2020
Quoting: ArehandoroIf you have backups in AWS Glacier the police doesn't need to seize your devices at all, they'll know you have an AWS account if you're onto something and AWS are obliged to give them your data.

It's encrypted though. Let them have it.

Quoting: ArehandoroAs for the backups, I run NC in docker in a PC with RAID 10 and drive encryption at home. With rsync I upload incrementally the content each night to Backblaze -cheaper than Glacier- when the network is pretty much unused.

So far has been a quite solid solution.

Thanks, it's great to know of an alternative. Although just now I found even cheaper Amazon storage class - S3 Glacier Deep Archive.
It would cost me crazy 0.36 + taxes per month to store 200 GB of data, and about 6 USD to retrieve it (which hopefully never happens, as it would mean 2 of my HDDs are dead or lost).
It takes up to 12h to access data, but that's not a problem for me.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.

Buy Games
Buy games with our affiliate / partner links: