Encrypted remote backup of a Synology NAS using Raspberry Pi and duplicity.
My Data is currently stored on a 5 bay Synology NAS running a SHR RAID. All data is periodically backed up to a external hard drive using HyperBackup. This way my data is safe from a RAID failure. BUT what if the data gets mechanically destroyed or a virus encrypts all data on the NAS? An off-site backup solution must be found.
- Off-site backup at low to no cost therefore cloud services are expelled
- Data transfer over SSH because security
- Data encryption! I don’t want my data off-site and accessible to everyone
- SSH enabled on the Synology NAS
- A domain or IP pointing to your Synology NAS
A Raspberry Pi that I had laying around doing nothing and an external USB hard drive for storage is located at a friends home. Power consumption is maximum 15W (5W raspberry + 10W HDD). The Pi forwards a port for SSH using UPnP and announces its outside IP to my NAS every minute. On my NAS a periodical task runs the backup using duplicity.
Split into two parts for setting up the Raspberry PI and the NAS.
- Create announce script to publish the outposts public IP to the NAS
- Enable SSH from the outpost to the NAS and vice-versa using key authentication
1. Announce Script
The Raspberry Pi at a friends is called Outpost. Set-Up a minimal Raspbian install and enable SSH to get started. Install upnpc using this command:
Copy the following script into the pi user’s home directory and Change the HOST and HOST_PORT variables to the domain name or external IP of your NAS and its SSH port.
This script will get the Pi’s public IP and put it in a file in the user outpost home directory of the NAS. Furthermore it opens the port and redirects it to the Pi’s SSH port.
2. SSH Login without password
Now create a user outpost on your NAS and enable SSH for that user by adding a triggered task on boot to change the login shell. Make sure the task is executed by root.
By default only the users in the administrator group have SSH login permissions. This line will alter the /etc/passwd file to enable SSH login for the user outpost.
Make sure you have no typos and try it out on a copy of /etc/passwd. If this script screws up your passwd file you won’t be able to log into your NAS anymore!
Next we create ssh keys to log into your NAS from the outpost without using a password. On the outpost run changing HOST and PORT to your NAS hostname and SSH port.
This will allow the outpost to log into your NAS without password. Test it by opening a SSH connection:
Now it’s time to test the announce script. Enable execution permission and launch the script:
You should now have a file called outpost_ip.txt in the home directory of the user outpost on the NAS holding its public IP and the forwarded SSH port. On your NAS open a test connection to the outpost using:
For the backup we need to log in to the outpost using SSH. Therefore we create SSH keys on the NAS and copy them to the outpost. Sadly Synology doesn’t support the ssh-copy-id command so we have to do this manually. On your NAS run:
This should grant you access to the outpost without password. Make sure this works by opening a SSH connection using:
3. Add cronjob
To ensure the announce script is executed periodically add a cronjob. This will run the announce script every minute, ensuring that we always have the current IP address of the outpost on the NAS.
The last step is to mount the USB hard drive. Follow the guide here.
The outpost is now set up and ready to take SSH connections from the NAS.
The hard part is now done. On the NAS side we have to
- install the duplicity program
- generate encryption keys
- add a script to run the backup
- backup the encryption key
1. Install package
Add the following address to the Synology package source in the Package Manager and enable beta releases, also in Package Manager Settings:
Not install the duplicity package.
2. Setup keys
The duplicity package comes with a fixed version of gpg2. Create an alias to access this binary and change some settings to make it work (source here)
Now we generate a GPG key par to encrypt our data. Run the following command:
Note the key ID, it will be needed later:
3. Create backup scripts
Now we create the backup and restore scripts. I put them into a folder
This is the script for backup:
The most important line is the last line launching the duplicity program. The parameters are
|--asynchronous-upload||Simultaneously compress and upload data|
|--verbosity 5||talk to me|
|--gpg-binary=/usr/local/gnupg/bin/gpg2||link to the gpg2 library|
|--archive-dir=$ARCHIVE_DIR||archive directory. This is specified to not use a folder on / because storage is limited there|
|--tempdir=$TEMP_DIR||same reason as --archive-dir|
|--encrypt-key $KEY_ID||your encryption key to use|
|$SOURCE||the source folder|
|rsync://$USER@$HOST/$DESTINATION||destination using rsync|
And this is the script for restoring:
Put them in ~/scripts/outpost/.
4. Run test backup
To test the scripts we create a folder containing some files and launch the backup task.
Your data should now be on the outpost encrypted and compressed! duplicity will run incremental backups if you launch it again, meaning it checks for backup integrity and only transfers changed data.
To check if you can restore the data run:
5. Create backup task
The last step is to create a scheduled task with the correct arguments. It might look something like this:
Change the user to the one you created the scripts with and the data directories to the ones you want to backup.
The first backup will take lots of time (50GB in about 14h). But after that the backup should take only some minutes. The backup is encrypted so you could install the outpost everywhere you like.
Notes on GPG
Some commands for GPG.