Skip to main content
Unix & Linux

Return to Answer

Maybe
Source Link
Chris Davies
Chris Davies
  • 128.3k
  • 16
  • 179
  • 324

Every singe guide I read on 'how to do automated backups' tells me to put a passwordless ssh-key on my pi. I don't want to do this, because anyone with access to my pc, would have access to my backups which completely annihilates one purpose of backups.

The first statement is correct but your conclusion implies that you've misunderstood the statement. Letlet me try to explain what I understand by this. (As well as handling principle of least privilege.)

  1. You have a PC that you want to backup
  2. You want to protect your backups so that someone/something with unexpected access to your PC cannot break your backups

The solution here is to drive the backups from the backups server (your Pi) rather than from your PC. If you're going to use rsync with either ssh (to a Linux/Mac client) or with rsyncd (a Windows client) you set the scheme up so that the Pi can access the PC. (The PC need have no passwordless access to the Pi.)

A typical approach might be to use cron on the Pi to try and backup the PC on a frequent basis (four-hourly, say), but once it has succeeded not to retry until the follow day. This script is untested but should give you the bones for a solution. It's important to note that the timeout 4h should be sufficient for a complete backup:

basedir=/data/backup_dir # Backups target directory my_pc=192.168.130.33 # Your PC name or IP address today=$(date +'%Y-%m-%d') # Today stamp=$(cat "$basedir/.stamp" 2>/dev/null) # Date of last backup if [ "$today" = "$stamp" ] then # Last backup was today exit 0 fi if ! ping -q -c1 "$my_pc" then # PC not responding to ping exit 1 fi # Backup your PC if timeout 4h rsync -a "$my_pc":/…/ "$basedir/$today" then # Success echo "$today" >"$basedir/.stamp" exit 0 fi

Every singe guide I read on 'how to do automated backups' tells me to put a passwordless ssh-key on my pi. I don't want to do this, because anyone with access to my pc, would have access to my backups which completely annihilates one purpose of backups.

The first statement is correct but your conclusion implies that you've misunderstood the statement. Let me try to explain.

  1. You have a PC that you want to backup
  2. You want to protect your backups so that someone/something with unexpected access to your PC cannot break your backups

The solution here is to drive the backups from the backups server (your Pi) rather than from your PC. If you're going to use rsync with either ssh (to a Linux/Mac client) or with rsyncd (a Windows client) you set the scheme up so that the Pi can access the PC. (The PC need have no passwordless access to the Pi.)

A typical approach might be to use cron on the Pi to try and backup the PC on a frequent basis (four-hourly, say), but once it has succeeded not to retry until the follow day. This script is untested but should give you the bones for a solution. It's important to note that the timeout 4h should be sufficient for a complete backup:

basedir=/data/backup_dir # Backups target directory my_pc=192.168.130.33 # Your PC name or IP address today=$(date +'%Y-%m-%d') # Today stamp=$(cat "$basedir/.stamp" 2>/dev/null) # Date of last backup if [ "$today" = "$stamp" ] then # Last backup was today exit 0 fi if ! ping -q -c1 "$my_pc" then # PC not responding to ping exit 1 fi # Backup your PC if timeout 4h rsync -a "$my_pc":/…/ "$basedir/$today" then # Success echo "$today" >"$basedir/.stamp" exit 0 fi

Every singe guide I read on 'how to do automated backups' tells me to put a passwordless ssh-key on my pi. I don't want to do this, because anyone with access to my pc, would have access to my backups which completely annihilates one purpose of backups.

The first statement is correct but let me try to explain what I understand by this. (As well as handling principle of least privilege.)

  1. You have a PC that you want to backup
  2. You want to protect your backups so that someone/something with unexpected access to your PC cannot break your backups

The solution here is to drive the backups from the backups server (your Pi) rather than from your PC. If you're going to use rsync with either ssh (to a Linux/Mac client) or with rsyncd (a Windows client) you set the scheme up so that the Pi can access the PC. (The PC need have no passwordless access to the Pi.)

A typical approach might be to use cron on the Pi to try and backup the PC on a frequent basis (four-hourly, say), but once it has succeeded not to retry until the follow day. This script is untested but should give you the bones for a solution. It's important to note that the timeout 4h should be sufficient for a complete backup:

basedir=/data/backup_dir # Backups target directory my_pc=192.168.130.33 # Your PC name or IP address today=$(date +'%Y-%m-%d') # Today stamp=$(cat "$basedir/.stamp" 2>/dev/null) # Date of last backup if [ "$today" = "$stamp" ] then # Last backup was today exit 0 fi if ! ping -q -c1 "$my_pc" then # PC not responding to ping exit 1 fi # Backup your PC if timeout 4h rsync -a "$my_pc":/…/ "$basedir/$today" then # Success echo "$today" >"$basedir/.stamp" exit 0 fi
Source Link
Chris Davies
Chris Davies
  • 128.3k
  • 16
  • 179
  • 324

Every singe guide I read on 'how to do automated backups' tells me to put a passwordless ssh-key on my pi. I don't want to do this, because anyone with access to my pc, would have access to my backups which completely annihilates one purpose of backups.

The first statement is correct but your conclusion implies that you've misunderstood the statement. Let me try to explain.

  1. You have a PC that you want to backup
  2. You want to protect your backups so that someone/something with unexpected access to your PC cannot break your backups

The solution here is to drive the backups from the backups server (your Pi) rather than from your PC. If you're going to use rsync with either ssh (to a Linux/Mac client) or with rsyncd (a Windows client) you set the scheme up so that the Pi can access the PC. (The PC need have no passwordless access to the Pi.)

A typical approach might be to use cron on the Pi to try and backup the PC on a frequent basis (four-hourly, say), but once it has succeeded not to retry until the follow day. This script is untested but should give you the bones for a solution. It's important to note that the timeout 4h should be sufficient for a complete backup:

basedir=/data/backup_dir # Backups target directory my_pc=192.168.130.33 # Your PC name or IP address today=$(date +'%Y-%m-%d') # Today stamp=$(cat "$basedir/.stamp" 2>/dev/null) # Date of last backup if [ "$today" = "$stamp" ] then # Last backup was today exit 0 fi if ! ping -q -c1 "$my_pc" then # PC not responding to ping exit 1 fi # Backup your PC if timeout 4h rsync -a "$my_pc":/…/ "$basedir/$today" then # Success echo "$today" >"$basedir/.stamp" exit 0 fi