Provisional page: needs checking and expansion!

=== Introduction ===
Here we describe the procedure for taking full backups and restoring them.

=== Taking a full backup ===
 1. Connect a disk with USB.
    If it is not setup you should use the procedure to setup encrypted disk documented elsewhere.
 1. Mount the USB disk on /backupdisk:
  {{{
  # cryptsetup luksOpen /dev/sdX1 sdX1_crypt
  # mount /dev/mapper/sdX1_crypt /backupdisk
  }}}
 1. Create a directory in /backupdisk with the following naming scheme:
    <hostname>/<date>/
 1. For each filesystem (/boot, /) do the following:
  {{{
  # cd / && tar cd - --one-file-system <mountpoint> |\
  gpg -r backup@cacert.org -e > \
  /backupdisk/<hostname>/<date>/<ID>_<FS>.tar.gpg
  }}}
  * mountpoint: /boot or /
  * hostname: the name of the host
  * date: the current date in the format YYYY-MM-DD
  * ID: A number (01 for / (root), 02 for /boot)
  * FS: The filesystem name with the / replace by a -
    For the root filesystem use the name 'root'
    For example: /backupdisk/hlin/2008-10-03/00_root.tar.gpg and
    /backupdisk/hlin/2008-10-03/01_boot.tar.gpg
    and /backupdisk/hlin/2008-10-03/02_var-lib-mysql.tar.gpg
  The keyid used for backups is: 0E1725CF <backup@cacert.org>

 1. [Optional] Verify the backup (see Verification procedure on next page).
 1. Unmount and disconnect the USB backup disk:
  {{{
  # umount /backupdisk
  # cryptsetup luksClose sdX1_crypt
  # eject /dev/sdX1
  }}}

To use this procedure you need:
 * the public gpg key (present in ~root/.gnugp/pubring.gpg)
 * a prepared harddisk
 * physical access to the machine
 * a USB connection for the harddisk
 * someone from secure-u to take the disk afterwards out of the datacenter and with them for storage

=== Verifying a full backup ===
This is best done directly after completion of the offsite backup procedure at the point [Optional] described above.

 1. Insert the USB stick with the private GPG key and mount it read-only on /mnt/keys.
 1. Go to /backupdisk/<hostname>/<date>
 1. Run the following command:
  {{{
  for b in *
  do
    echo Verifying $b ...
    gpg --homedir /mnt/keys/gnupg -d $b | tar tvf - >>/tmp/KLAD
  done
  }}}
 1. Inspect /tmp/KLAD for any anomalies.
 1. Unmount USB stick with the private GPG key and remove it.
 1. Go to /

=== Restoring a full backup ===
In case you use a live CD:
 1. Mount the new disk on /new
    Use encryption and so on!
    Mount the filesystems you want (for example /boot on the new disk) on their designated place in /new. (for example: /new/boot)
 1. Mount the backupdisk on /backupdisk
 1. Mount the USB stick with the private GPG key read-only on /mnt/keys
 1. Go to /backupdisk/<hostname>/<date wanted>
 1. Run the following command:
  {{{
  for b in *
  do
    echo Extracting $b ...
    gpg --homedir /mnt/keys/gnupg -d $b | (cd /new && tar xvpf - )
  done
  }}}
 1. Install grub on the new disk
In order to use this procedure you need:
 * The private GPG key on a USB stick
 * The backup disks including encryption passwords
 * Passwords for the new (encrypted) disk
 * Common sense and 4 eyes!

=== Remarks ===

----
CategoryProcedures