Librem 5 Backup and Restore – Purism

This is cool to read. As someone who is just really getting into the GNU/Linux world and starting to use PureOS, it’s always cool to me how using the command line is so damn fast and convenient for a lot of tasks vs having to browse the web or click endlessly through a GUI. It’s great to follow a guide, type in the commands suggested and see everything just work/install/etc.

3 Likes

well heck … why not glorify this some more ?

the bomb

Before I did a backup, I first wanted to get a list of all of the packages I had installed on the phone so I could reinstall them as part of the restore. To do this I typed:

dpkg --get-selections | grep -v deinstall | cut -f1 > ~/pkglist

This dumped the list of installed packages, one line at a time, into /home/purism/pkglist.

2 Likes

I’m glad you’ve covered backup and restore because that would be one of the first things that I would want to do after initial config and setup i.e. backup - just in case.

Quick question: Do you need -z on the tar x command to restore or is tar smart enough to see automatically that it needs it? (Yeah I know that I could test that myself but …)

one more … tar stands for tape-archive which brings me to ask - is it a coincidence or do you guys ACTUALLY use tape-archiving as storage at Purism ?

1 Like

Pretty sure the command was just never modified to be a more generic archive command. tar has been used for so long that changing the command name would likely be met with so much resistance it’s just not a battle worth fighting.

I’ve seen tar used to archive all sorts of things and only in one instance was it to tape, almost always I see it used to archive to some form of disk medium with a gzip compression.

Maybe it should be renamed from “Tape Archive” to “To Archive” that way the command can stay tar…

3 Likes

In addition to clicking the heart in the first message, I have to thank kyle for these wonderful articles which, waiting for my dogwood, are useful for me who am not a programmer.

3 Likes

My understanding is that most current versions of tar are “smart enough” to figure out when an archive is zipped when extracting but you still need to specify it when creating an archive.

Old habits die hard though after using the same set of tar arguments for twenty years :slight_smile:

5 Likes

When I started using tar professionally, I used it to backup directly to raw tape devices. Since then though I just use it as a convenient way to combine a bunch of files and directories into a single file while preserving the directory structure and file system permissions. As I hint in the article, there’s more than one way to do it, and I would take an entirely different approach if I were transferring everything from one hard drive to a new empty one.

3 Likes

as far as i know tar doesn’t support archiving with passwords … i have several OLD 7zip password-ed files from the M$-era that need unpacking and was wondering if that’s going to change in the future or do i have to use 7zip on GNU/Linux for those ?

oh i see that Linux-Journal is still in business … i thought they were gone. what happened ? were they bought ?

well that’s the beauty of linux that you don’t need each software to be MFU and bring alll the dependecies with it (although it’s coming to that point with flatpak)
So if you need to encrypt tar archive you can just pass it further via the pipe to openssl.

ruff@ubox:~$ tar -cz . | openssl aes256 | cat > home.tar.gz.aes
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
ruff@ubox:~$ ls -la home.tar.gz.aes
-rw-rw-r-- 1 ruff ruff 121872 Feb  5 13:06 home.tar.gz.aes
ruff@ubox:~$ openssl aes256 -d < home.tar.gz.aes | tar tzv
enter aes-256-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
drwxr-xr-x ruff/ruff         0 2020-02-05 13:05 ./
-rw------- ruff/ruff     10891 2020-01-28 16:56 ./.viminfo
-rw-r--r-- ruff/ruff       220 2019-05-05 04:06 ./.bash_logout
drwxrwxr-x ruff/ruff         0 2020-01-28 16:22 ./.ansible/
drwx------ ruff/ruff         0 2020-01-28 17:02 ./.ansible/tmp/
-rw-r--r-- ruff/ruff         0 2020-01-24 01:19 ./.sudo_as_admin_successful
-rw-r--r-- ruff/ruff      3771 2019-05-05 04:06 ./.bashrc

Or you can use convenience wrapper from gnupg like gpgtar

3 Likes

what is that WARNING for ?

for exactly what it is saying :slight_smile: the default encryption key derivation algorithm is considered unsafe and depricated hence if you want better security on your encrypted blob it advises you to use new method.

 -iter +int          Specify the iteration count and force use of PBKDF2
 -pbkdf2             Use password-based key derivation function 2

But bear in mind aes256 will offer you comparable security to what zip rpovides, if you want to be safe than sorry use gpg as it is specifically created to encrypt file archives using strong cryptography rather than just symmetric encryption.

2 Likes

oh now i see ! well it’s there just mostly for the password ! don’t really need strong asymmetric encryption for this … i only access that HDD in offline mode and the contents are not sensitive but i’d rather not make it too easy if somebody gets his hands on that HDD besides me …

They are sadly out of business but the parent company that bought them two years ago is keeping the site up. You can read my goodbye post here: https://www.linuxjournal.com/content/linux-journal-ceases-publication-awkward-goodbye

1 Like

It’s a great article, backup and restore is something that gives a lot of people anxiety.

I believe it’s worth noting that had there been a significant system update between the factory restored state and where system was when the backup takes place, backing up the entire /etc directory could cause problems when it’s restored.

The article is pretty clear on what the use case is, so this is in no way a meant as a criticism, just a side note to make the process that much more universal.

You could list any configuration files which have been modified from their installation state, which functions like a checklist of what has been changed.

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK$/{print $1}' | sort 

Then you could limit the backup to the specific files and/or directories under /etc which you’ve changed. Thereby limiting the chance of inadvertently clobbering configurations you haven’t touched between different versions of those applications.

I find it’s always nice to have reminders of what I’ve fiddled with. Might remind me of scripts of I’ve also stuck in /usr/local/bin or something else not in my home directory.

It also might be helpful in 6 months, after Evergreen has been out a while and is seeing regular updates. Someone without a lot of Linux experience will use the article as a “How To” guide and freak out when their restore fails. Even if there is documentation which explicitly explains it, that might not be what the user finds first. :roll_eyes: :laughing:

5 Likes

3 pipes in a SINGLE line ? meh GUI can do that … :stuck_out_tongue_winking_eye:

with that last one we are very close to writing a full blown script here …

1 Like

You will note though that he is using a selective restore, partly for that reason I would suppose.

However even a selective restore could cause a problem with an unfriendly update to some component. (It would therefore, and otherwise, be desirable to refresh the backup frequently.)

I prefer to use dd for backup and restore, as I will always get a known valid state. It is unclear how one could do that on the L5. I have previously hinted to Purism :slight_smile: that I would like to be able to boot from µSD card, at least for the purpose of backup and restore of the eMMC drive.

To provide a bit more background (not sure of your level of expertise) -

A human being makes up a somewhat memorable encryption password, hopefully not too easily guessable, and typically comprising printable characters only e.g. “myLibrem5Backup” :slight_smile:

A “key derivation function” (KDF) converts the encryption password into an X-bit key (whatever length key is actually required by the encryption algorithm being used).

Human beings aren’t very good at making up random passwords (not uniformly distributed and not much entropy). It may be viable for an attacker to iterate through all passwords that a human would actually choose and maybe quickly eliminate that key by decrypting the first encryption block. That will take far far less time than simply iterating over all X-bit keys. (Even though the vast majority of X-bit keys can never arise from the KDF algorithm, due to lack of entropy in the original password, the attacker has no way of telling which X-bit keys can arise and which cannot.)

A KDF is designed to be hard on the CPU - take a non-trivial amount of time on a current CPU but not so much time that the user experience sucks or even that network protocols time out waiting for keys to be derived - and ideally be difficult to implement in a GPU. The KDF has to mung the password hard but not too hard. To maintain strength over time a KDF typically has a parameter that is the number of iterations that are applied.

According to the internet, openssl uses as the default KDF something that is home brew (similar to PBKDF1) with an iteration count of 1.

Anything “home brew” should be considered at least a little bit suspect (but as this is open source it can be retrospectively reviewed by experts around the world, and no doubt has been).

PBKDF1 having been superseded by PBKDF2 should be considered suspect.

An iteration count of 1 is almost certainly woefully inadequate. (By way of comparison, when WiFi uses PBKDF2, it uses 4096 iterations.)

3 Likes

Hi,
I have no problem to make Backup on the memory card.
But, I’m not able to make backup on Network server…
How can I find a Network server?
I thought that I could on that Webo Cloud : https://nextcloud05.webo.cloud/login?user=pertinence@riseup.net&direct=1

But when I ask to the backup app to make a backup, he respond me :
« Traceback (innermost last):
File “/usr/bin/duplicity”, line 122, in
with_tempdir(main)
File “/usr/bin/duplicity”, line 108, in with_tempdir
fn()
File “/usr/lib/python3/dist-packages/duplicity/dup_main.py”, line 1522, in main
action = commandline.ProcessCommandLine(sys.argv[1:])
File “/usr/lib/python3/dist-packages/duplicity/commandline.py”, line 1187, in ProcessCommandLine
config.backend = backend.get_backend(args[0])
File “/usr/lib/python3/dist-packages/duplicity/backend.py”, line 223, in get_backend
obj = get_backend_object(url_string)
File “/usr/lib/python3/dist-packages/duplicity/backend.py”, line 209, in get_backend_object
return factory(pu)
File “/usr/lib/python3/dist-packages/duplicity/backends/giobackend.py”, line 96, in init
self.remote_file.make_directory_with_parents(None)
gi.repository.GLib.GError: g-io-error-quark: Operation not supported (15) »

Make backup on the memory card and then copy the resulting single file to the network?

The above kind of error is typical with file system abstractions. That is, the application thinks that it is interacting with a local real file system but in reality it is some kind of virtual file system that unfortunately does not support all of the operations that the local real file system does (in this case, perhaps, creating a directory).

Personally I wouldn’t use some random server on the internet as the target of my backup file anyway unless the backup has both confidentiality and integrity before it hits the network.

1 Like