Sign in Subscribe
Hetzner

Encrypted iRedmail Backups on Hetzner Backup-Space with SSHFS/EncFS

Martin Seener

3 min read

Introduction

You may know that you get 100GB of free Backup-Space from Hetzner when ordering a Root- or Managed-Server. If you have other offers like Webspace or vServers you can also order the Backup-Space for a small fee.

The nice thing about this Backup-Space is, that you don't have to care about the infrastructure below. Just use it with SFTP/SCP/FTP or Samba/CIFS. Get your important data onto it today!

What's not so cool is that you can't reach it from outside of Hetzners Domain Space and your backups aren't encrypted in any way there!

Nevertheless let's continue getting a simple but effective backup solution running for your server.

While i wanted to have a continious backup for my self-hosted mailserver, i will create the backup for an iRedmail instance.

For an easier and more clean backup, i've written a bash script which handles the SSHFS and EncFS mounts as well as the backups and backup cleaning itself. This way just a single line of a cronjob is needed.

Setting up the connection

While there are a couple of ways to set up the backup connection, we will use SSHFS, so it's possible to use rsync for example.

I assume that we will create the backup as the root user.

Let us install sshfs first.

apt-get install sshfs

Now we need to create an SSH key for our passwordless connection and convert it to be RFC4716 compatible, because Hetzner needs it in this format.

ssh-keygen -t rsa -b 4096
ssh-keygen -e -f .ssh/id_rsa.pub | grep -v "Comment:" > .ssh/id_rsa_rfc.pub

Now let us connect to our Backup-Space to create the .ssh folder.

sftp [email protected]
mkdir .ssh # Create the .ssh folder for storing our ssh public key(s)

Last but not least we will to copy over our public key(s). This is the last time you need to provide the password - if you have done everything correctly!

scp .ssh/id_rsa_rfc.pub [email protected]:/.ssh/authorized_keys

Get Hebato and configure it

What the **** Hebato is you ask? Hebato is the script mentioned earlier which i've written to simplify and streamline the backup! Grab your copy just by downloading the hebato.sh script itself into your /root folder. Alternatively you can git clone it down, it's on github!

After downloading it to, let's say, /root/hebato.sh we want to adjust it's settings. Get into the code and adjust the parameters right at the top. If you are fine with my defaults for iRedmail you only need to adjust your Backup-Space's username $HETZNER_USERNAME.

The last thing we need to do is creating the mount paths for SSHFS and EncFS. If you use the defaults just execute the following:

mkdir /root/hetzner_backup /root/backup

One thing to keep in mind. If your /root folder is mounted from a small partition you will NOT drive into problems, since the Backup-Space will be mounted below. So even if your backup is 50GB and /root only 512MB everything will run smoothly!

Creating the EncFS Key (optional)

While Hebato will create a secure EncFS Key for you automatically, you can surely make or use your own. The key is just a password in a file. You can add yours or create it manually with openssl for example:

# Creates a 20 char random base64 encoded password
openssl rand -base64 20 > .encfs_key

Installing the other tools Hebato needs

Hebato by default needs some more packages to be installed. This is EncFS for the crypto layer, rdiff-backup for the email file backup and openssl for creating the EncFS Key if you haven't done it manually.

Install them using your favorite package manager:

apt-get install encfs rdiff-backup openssl

Adjusting the backup path for LDAP and MySQL

Fortunately iRedmail comes with 2 useful backup scripts for LDAP and MySQL out of the box. They reside in /var/vmail/backup.

We need to modify their backup path only by opening them up and modifying the BACKUP___ROOTDIR variable in both scripts as follows

BACKUP_ROOTDIR="/root/backup"

That's it. The rest is handled by Hebato.

Making Hebato a permanent backup servant

Now that Hebato's defaults are backing up the LDAP tree, the MySQL databases and our plain emails, we just need to make sure Hebato is backing them up once a day, everyday.

This is done with a single line of a cron job. As root do the following:

crontab -e
# Insert the following line at the end of your crontab
0 3 * * * /bin/bash /root/hebato.sh
# Save and exit

Now Hebato will backup the files for your every morning at 3 am. It will automatically mount SSHFS, then EncFS and then it will backup all the files and unmount EncFS and SSHFS afterwards again.

It will also log errors or successes into syslog, so you can easily review what happened while you were asleep.

Not you can sleep quietly. You data is secure!

Bottom line

If you have issues with Hebato it's a bug! Don't hesitate to contact me, write an issue on github or even fork it and send me a pull-request.

Sign up for more like this.

Enter your email
Subscribe