Rsync: how to mount truecrypt on-the-fly on the receiving side

backuprsynctruecrypt

The short version: how can I keep an rsync backup on a truecrypt volume? The hard part is to mount/unmount this volume on the fly when it is needed for rsync.

Details

This is my current backup configuration (which works fairly well for the most part):

  • backup source is on Win7 64 bit, destination is a remote Linux box (Debian)
  • actual data transfer is done by rsync via ssh (cwRsync with cygwin)
  • rsync daemon is started on demand via ssh

On the Linux box the backup is protected by file permissions only. I want to increase security here and put the backup into a truecrypt volume. I can fuse-mount that volume manually in the shell. The question is now how can I make rsync not only open an ssh connection and starting the rsync daemon, but also to mount the truecrypt volume before (and unmount it after)?

My money is on option --rsync-path which can be used to pass a command line to ssh – provided that stdin and stdout still work the same. I guess that command would have to be a shell script. Is this possible, and what would the script look like?

For reference, here's a quote of that option:

--rsync-path=PROGRAM

Use this to specify what program is to be run on the remote machine to start-up rsync. Often used when rsync is not in the default remote-shell's path (e.g. --rsync-path=/usr/local/bin/rsync). Note that PROGRAM is run with the help of a shell, so it can be any program, script, or command sequence you'd care to run, so long as it does not corrupt the standard-in & standard-out that rsync is using to communicate.

One tricky example is to set a different default directory on the remote machine for use with the --relative option. For instance:

rsync -avR --rsync-path="cd /a/b && rsync" host:c/d /e/

This is the full rsync man page.

Best Answer

Meanwhile I have worked out any issues and have a solution which works for me since a few weeks. In case anybody is interested I am posting the details here. This article by Troy Johnson has helped along the way.

Prerequisites

  • Truecrypt installed on Linux and available on the path
  • a TC container prepared and available at /home/deepc/var/backup.tc
  • cygwin and rsync installed on Windows and available on the path

Linux

I made two shell scripts to mount and unmount the Truecrypt container on the Linux box. Those scripts are being called remotely via ssh from the Windows machine:

~/bin/backup-mount.sh:

#!/bin/bash
# usage: backup-mount.sh <password>
~deepc/bin/backup-umount.sh
echo "$1" | sudo truecrypt -t --slot=2 -k "" --volume-type=normal --protect-hidden=no /home/deepc/var/backup.tc /home/deepc/mnt

~/bin/backup-umount.sh:

#!/bin/sh
sudo truecrypt -d /home/deepc/var/backup.tc

Windows

remote-backup.cmd:

@echo off
setlocal
set HOME=c:\home
set LC_ALL=de_DE.utf-8
set LC_CTYPE=de_DE.utf-8
set LANG=de_DE.utf-8

rem --iconv=utf-16,iso-88591
ssh -p THESSHPORT -i ../.ssh/id_dsa deepc@theremotehost.com bin/backup-mount.sh THEPASSWORD
rsync -rltvzPm --modify-window=1 --exclude-from=../etc/backup/excludes.txt --chmod=ugo=rwX --delete --delete-excluded --files-from=../etc/backup/files-from.txt -e "ssh -p THESSHPORT -i ../.ssh/id_dsa" --log-file=../tmp/remote-backup.log /cygdrive deepc@theremotehost.com:/home/deepc/mnt
ssh -p THESSHPORT -i ../.ssh/id_dsa deepc@theremotehost.com bin/backup-umount.sh

Put this batch file into the task scheduler, e.g. with a daily schedule. Be sure to adjust username, remote host, ssh port, Truecrypt container password, and of course the backup paths. Sorry but I could not bring myself to clean this up more after having wasted too much time already...

With this script Rsync will read includes and excludes from two text files, e.g.:

files-from.txt:

/c/Home/
/c/Users/deepc
...

excludes.txt:

Firefox/Cache
Firefox/*.lock
Thunderbird/*.lock
Thunderbird/**/*Junk*
Thunderbird/**/filterlog.html
Thunderbird/**/*.msf
Home/tmp
...

Done?

This is answers the original question. There is only one minor issue: special characters in filenames on Windows are mangled on Linux, with ext2 being used in the TC container on Linux. I tried all combinations for the --iconv parameter I could think of but to no avail. Seems I have to live with that - unless some brave soul has read until here, knows the answer, and enlightens me in a comment ;-) (NTFS in the container is not an option)

Related Question