Skip to content

encrypted backup appliance with raspberry pi and rsnapshot

*** I actually ended up replacing rsnapshot with obnam as detailed in this post. ***


Today, I decided to switch up my backup routine. Before I was using a mix of bash and python scripts to backup different machines, but I wanted to set up a single appliance that could take care of all of my servers and keep backups in a centralized, encrypted location. What I ended up with is a raspberry pi with an encrypted  4TB usb drive.

First, I installed raspbian lite on the raspberry pi, then I changed the root password and removed the pi user.

Next, run updates.

Install software.

Encrypt the Storage Drive

Next, I set up the encrypted usb drive as a dm-crypt device in LUKS encryption mode.

You can also manually specify any options if you don’t like the defaults.

Enter your passphrase and your drive is now encrypted.

To be of any use, you will need to mount the drive and create a filesystem.

The ‘backups’ in the above command is the name I chose for the device mapper. This will open the encrypted drive as /dev/mapper/backups and you can then create a filesystem.

Create a mount point.

Mount the drive.

At this point, your drive is encrypted and unlocked and mounted to /mnt/backups. To close the drive, unmount and close it.

Now this is all good if you just intend to unlock your drive, copy some files, and then lock it back again, but I wanted this to be an appliance. I need the drive available all the time while it is connected to the raspberry pi. To do this, I will need to add a keyfile to the system to unIock the drive when the raspberry pi boots.  The problem with this, is that the keyfile is readable by anyone on the system which means that your drive is available to anyone who can access the pi. I only really care about the drive being encrypted when it is removed from the appliance and stored elsewhere so this is fine for my purposes.

Create a folder /etc/keyfiles.

Create a keyfile.

Set permissions on the keyfile.

Now add the key to the drive so that it can be unlocked with your key.

You can dump the luks header and see that your key has been added to slot 2.

Now, to have the disk auto unlock and mount at boot, get the disk’s UUID.

Make a new entry in /etc/crypttab using the UUID from output of the previous command.

Update the initial ramdisk.

Then test.

It should report back:

Make sure the device is mapped.

Make sure backups is listed.

Make a new entry in /etc/fstab.

Make sure it mounts correctly.

Now your encrypted drive will be mounted on boot. Reboot and make sure that /dev/mapper/backups is available and mounted to /mnt/backups.


Set up backup service

Earlier, we installed rsnapshot. rsnapshot is a filesystem snapshot utility based on rsync. This will allow us to backup remote systems over ssh with rsync.

The rsnapshot config file is located at /etc/rsnaphot.conf. Edit this file and set your snapshot_root to the encrypted drive.

Uncomment the external program dependencies.

Set up the backup retentions.

Next, scroll down and set up your backup targets. To backup remote systems, you will need to have your remote servers set up with ssh keys. For more information, check here.

Those are the basic settings. The rest of the config file is fairly self-explanatory so make any other changes you would like and save the file. You can test your configuration with:

It will tell you exactly what is wrong if there are any errors.


Automate the backups

To have the backups automatically run on a schedule, you will need to set up a systemd service and timer.

Create /etc/systemd/system/rsnapshot@.service

Create /etc/systemd/system/rsnapshot-hourly.timer

Finally, enable and start the service and it should perform an hourly backup of all of your backup targets.

You can extend this by adding daily, weekly, and monthly timers to archive longer periods of time.

To manually run a backup:


The backups drive will contain folders named, daily.0, daily.1 etc. The latest backup will be daily.0 and daily.6 will be a week ago. Each of these folders contain a full backup, so to restore the previous days files, just copy the contents of daily.0 back to its original location. Its as simple as that. You can find more info at

One Comment

  1. […] playing around with my backup appliance from this post, I ended up switching the backup software from rsnapshot to obnam. Obnam seems to work better and […]

Comments are closed, but trackbacks and pingbacks are open.