[HowTo] make a crash-proof backup for Manjaro

Difficulty: ★★★☆☆

A few things you need to know about backups:

  • One copy does not constitute a good backup!
  • The most important to a good backup solution is an easy and fast restore !
  • Backup files should be stored on an external disk that gets connected to the system only during a backup or restore cycle so that RansomWare cannot encrypt your backup when it stumbles into your system through wine !
  • Alternatively, you can use a NAS directory that is protected by a password and that gets only mounted during a backup!
  • A Cold System Backup can also protect your dual/triple boot system (backing up all OSes including other Linux systems and Windows)!
  • If you encrypt your backup in the backup program itself, use an algorithmic password depending on date or just don’t forget the password!
Make a Cold System Backup
  1. Download CloneZilla live

  2. Save the ISO in /opt/

  3. Edit etc/grub.d/40_custom file and add at the end:

    menuentry "CloneZilla ISO" {
      # The string between " and " below is the actual name of the ISO file you just downloaded
      # and copied to the /opt directory (where optional software resides)
      set ISOFile="/opt/clonezilla-live-20190707-disco-amd64.iso"
      loopback loop ($root)$ISOFile
      linux (loop)/live/vmlinuz boot=live components config findiso=$ISOFile ip=frommedia toram=filesystem.squashfs union=overlay
      initrd (loop)/live/initrd.img
    }
    
  4. Execute update-grub .

  5. Reboot and choose CloneZilla ISO from the grub menu

  6. Follow the CloneZilla Disk to image instructions

This way:

  • You have CloneZilla installed in a fully bootable environment on your local disk so you don’t have to go hunt around for your CloneZilla USB stick to boot from. :innocent:
  • The CloneZilla live environment gets loaded into RAM and the backup solution doesn’t interfere with your existing Manjaro system
  • If you ever need to do a Cold System Restore, it will be of a non-running system exactly as it was at the time of backup!
    (Remember: A backup system is all about the restore, not about the backup!) :wink:
  • You should attach an external drive during the backup / restore process but have it disconnected at any other time so even if anyone would ever design a RansomWare attack for Manjaro, the disk would not be there during the attack and your backup will still be intact.
  • Ensure big unimportant files:
    • are symlinked to a drive/partition that does not get backed up so that you still back up your /home 's important configuration files and data files using CloneZilla.
    • Exclude unimportant files from your data backup too (See next section).
  • Using this system you can even back up your dual/triple boot environment together with your Manjaro environment if you want to! (Yeah, that includes Windows!)
Make a data backup

On top of the Cold System backup above you should still take a data backup every day / every couple of days because:

  • A Cold System backup is only needed in case of your system breaking and is a one-stop shop: everything gets restored and you cannot restore individual files!

  • A Data backup can be made to only back up modified files, so is blindingly fast compared to a Cold System Backup that backs up everything all of the time whether it’s changed or not!

  • There are a lot of backup programs out there:

    Borg Backup Installation instructions

    You need to have the AUR activated in pamac

    • Install Borg:

      pamac install borg
      
    • Create your first backup:

      • If you do not want encryption, change the --encryption=repokey where repokey is the password to your Borg repository to --encryption=none

      • In the below example we’ll back up to /media/backup.

      • If you want another mount point, just change that to whatever you like, just ensure it exists before you init your backup! :stuck_out_tongue_winking_eye:

      • Ensure that this mount point does not automount! (We do not want RansomWare to be able to encrypt our backups!)

      • You can change the local repository to a remote Borg server accessible by ssh by just replacing /media/backup with user@hostname:backup

      • --stats is optional as it just creates a statistics page so if you don’t like stats for everything, you can drop that.

        # Initialise repository
        borg init --stats --encryption=repokey /media/backup/
        # Change to home directory so we can use relative paths
        cd
        # create backup
        borg create --stats --progress --compression lzma,9 \
                    --exclude ".cache/" \
                    --exclude ".local/share/" \
                    --exclude ".config/borg/" \
                    --exclude "snap" \
                    --exclude "jimbo" \
                    --exclude "Examples" \
                    --exclude "Downloads" \
                    --exclude "Videos/*.avi" \
                    --exclude "Videos/*.mp4" \
                    --exclude "Videos/*.mkv" \
             /media/backup/{user}::{now:%Y-%m-%d} . 2>> /temp/"$USER"-bck.log
        
      • The above will create a backup of all the important files in your home directory, store them under your user name in the repository with today’s date.

      • As it uses today’s date as the unique backup identifier, the maximum amount of backups you can take is one per day!

      • If you want to go up to the nanosecond :wink: use this instead: {now:%Y-%m-%dT%H:%M:%S.%f}
        See the section “Full backup” below on why we exclude directories instead of including them.

  • If you want to do an efficient data backup and you’re not using Borg Backup you need to know about:

Full Backup

The very first time you take a backup, you’ll have to take a backup of all your files (for a reasonable definition of all :innocent: ) and you do that by taking your entire home directory, excluding the directories that are not critical to you!
Why use excludes instead of includes?
Well, you can easily:

  • Re-install snaps
  • Re-download anything in Downloads
  • Can always reconvert your DVD collection of Star Trek, Star Gate and Babylon 5 :wink: :grin: and even your CD collection again! (no data loss as you still have the DVDs/CD you legally bought anyway.)
  • but it would be much more work to get your subtitles back that have been painstakingly edited after being OCRed and impossible to get your Documents / Pictures / … back.

so that’s why in the Borg example above we excluded snap , Downloads , Videos/*.mkv .
and if you would now create an additional directory like “Public” in your home directory that you publish using your personal samba share, it will be automatically included in your backup without having to do anything unless you also manually exclude it!

Incremental Backup

In the case of Borg, an incremental backup does not exist, as any backup (except your very first one) is always differential, but I’ve added it here for completeness for other backup programs.
An incremental backup only backs up the files that changed since the last backup so that’s blindingly fast (for most people, yes I know about DBs) so this is what most people do:

  • First Full backup
  • keep on making incremental backups

until the day arrives they need to do a restore and then they find out they need to restore all of their backups !!!

So if your backup program only allows Full and Incremental, dump it and take another backup program because it’s all about the restore!

Differential Backup

This is the default in Borg because it’s a de-duplicating backup system and the crucial difference between an incremental and differential backup is that a differential backup backs up all files since the last full backup .
So you only have to worry about the space or time your differential backup is taking: if it starts taking up too much space or taking too much time, just make another full backup and restart the differentials.

Backup schedules

The most important question you have to ask yourself is:
How much data can I afford to lose???
A day? A week?? A month???
Well that is your x : backup every x !!!

With other backup programs, a daily differential and a weekly full backup (or a weekly differential and a monthly full, again depending on your personal x ) will be fine.
Whenever you need to restore, just restore your last full backup and then restore your last differential.

With Borg this matters less: just backup every x days and just keep an eye on the total space it takes and do a:

borg prune --stats --keep-last 10 /media/backup/

every couple of months to keep the last 10 backups and a restore will still be a one-step process. You’ll see with Borg that the difference between keeping the last 10 and 20 is not that big, so I generally keep the last 30 backups (and I back up every couple of days or after I’ve made important changes or before I leave on travel! )

How to do a restore?

Remember to test your restore before you actually need it! This forum is full of people that did take backups but could never do a restore because they encrypted the backup and forgot their password, excluded the wrong directories, did not include their ~/.config , …

So if you do something:

  • stupid , like deleting a file and deleting it from the Wastebin : just restore that file from your data backup:
# Restores entire archive and list files while processing
$ borg extract --stats --list /media/Backup/{user}::{now:%Y-%m-%d}
  • really stupid , like breaking Manjaro: Just reboot, choose CloneZilla Live in your grub environment, restore the entire system from your last Cold System Backup (and restore the latest data backup if needed).
  • extraordinarily stupid , like screw up grub itself:
    • If you used the CloneZilla Tutorial instead of this one, you can skip this step:
      • Go to another machine and download CloneZilla live from there, burn it to a USB stick,
    • Go back to your sick computer, boot from the USB stick made above, and restore the entire system from there (and restore the latest data backup if needed)
If you are using wine,

make sure you setup a separate user account with minimal privileges and use this user just for running your wine applications. That way any Windows ransomware or other malicious software can only access the contents of that user’s home directory, and not of your main user.

Never run wine as your main user (or, heaven forbid, root).

21 Likes