This article describes how to using a USB drive, truecrypt, ivman and HAL to create and encrypted backup scheme for linux. Using this scheme the backup is automatically triggered when the USB drive is inserted into the computer. The only interaction required by the user is the entering of passwords.
Contents |
Overview
- HAL and ivman detects when the USB drive is attached to the computer. ivman executes the mounting script.
- The mounting script uses truecrypt to decrypt and mount the drive at some location.
- The mounting script executes the backup script that is located on the drive. This script performs the actual backup.
- When completed, the mounting script unmounts the USB drive
ivman and HAL
HAL is the Hardware Abstraction Layer, it detects hardware hotplug events and maps them into user events. ivman is a user space program that determines actions to take in response to the events generated by HAL. Combined these will allow the computer to detect when the USB drive is attached, and to run the appropriate script.
I'm not going to describe how to install these, as your distro probably makes them available as a package.
Configuring ivman
The first this to do is determine how to identify the USB drive. The easiest way to do this is to just plug the USB drive in and let ivman mount it. You can then look at the output from mount to see what device it was mapped to.
tartarus:~> mount /dev/sdc6 on / type reiserfs (rw,notail) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec) udev on /dev type tmpfs (rw,nosuid) devpts on /dev/pts type devpts (rw,nosuid,noexec) /dev/mapper/crypt-tmp on /tmp type ext2 (rw) /dev/sdc1 on /mnt/windows/C type vfat (rw,nosuid,nodev,umask=0) /dev/sdc2 on /mnt/windows/D type vfat (rw,nosuid,nodev,umask=0) /dev/sdc3 on /mnt/vm type reiserfs (rw) tmpfs on /dev/shm type tmpfs (rw) usbfs on /proc/bus/usb type usbfs (rw,noexec,nosuid,devmode=0664,devgid=85) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev) /dev/mapper/darino on /home/darino type reiserfs (rw) /dev/hdb on /mnt/cdrom type iso9660 (ro,noexec,nosuid,nodev,user=darino) /dev/sdh1 on /media/usbdisk type ext2 (rw,noexec,nosuid,nodev)
In my case is the device is /dev/sdh and the partition is /dev/sdh1. Using lshal, which shows the status of the current hardware state, you can determine information that can be used to identify the drive. To do this, run lshal | less and then search for the device associated with the drive. There should be a section pertaining to the USB drive. Which information to used dependings on the drive. I used info.parent from the section for /dev/sdh1.
We now need to add a rule to ivman so that it can identify the USB drive.
Edit the IvmConfigActions.xml file. I added the following rule
<ivm:Match name="hal.info.parent" value="/org/freedesktop/Hal/devices/storage_serial__USB_PD_2_0_07740C5F1843">
<ivm:Option name="mount" value="false" />
<ivm:Option name="exec" value="/home/darino/bin/backupmount $hal.block.device$" />
</ivm:Match>
You'll need to change the Match name and value fields to match your drive. The Option mount tells ivman not to automatically mount the drive. The Option exec tells ivman which script to run when the drive is connected. The $hal.block.device$ argument is converted by ivman to the device that this drive is represented by, which may not always be the same.
The mounting script
The actual mounting script I use is here. However I will describes the necessary tasks it performs. First I assume that a truecrypt partition exists of the USB drive, therefore we must use truecrypt to mount the drive. To do so we'll need to give truecrypt a password. I used the -e argument that most X terminals use to start a new terminal which runs truecrypt. This allows entering the password. You may need to configure su to allow you to run truecrypt. If so, you may actually need to enter two passwords, your login password and the truecrypt password.
The script then checks that the mount succeeded. If it did, it looks for a script located in the root of the newly mounted drive. If this backup script exists, the mounting script runs it. The backup script on the drive determines what actions are performed for the backup.
After running the backup script, the mounting script unmounts the USB drive, again using truecrypt. As you may need to enter a password to unmount the drive, truecrypt is again run in an X terminal.
The backup script
The actions taken by the backup script can be whatever you want. Personally, I am mostly backing up source code. As I am using git as a revision control system, I create bare repositories on the drive as backups. As git is a revision control system, I can incrementally update the repositories on the drive. You can see the script I use here.
Notes
Why is the backup script on the drive?
By placing the backup script on the drive, you can have multiple drives backing up different things, using essentially the same system. Also, as truecrypt allows for hidden volumes, you could create a hidden volume and control which is accessed by which password is entered. The hidden volume could be used to backup secret information, without any indication of its existence on the computer.
Truecrypt version
The above requires truecrypt version 4.3a. That version will accept a password for administrator privileges without having to use sudo. Version 4.3 does not. In gentoo this requires masking truecrypt in your packages.keywords file.