My solution to rsync to a luks encrypted drive in Hass OS

Installation Home Assistant OS
1

Hello,

What I achieve: securely backuping my NAS to an encrypted drive pluged into HassOS on Raspberry in another location.

As stated in Rsync install it is not possible to install software on the Hass OS host. And the host does not have rsync, nor cryptsetup/Luks.
But using Docker it is possible to do it.

How to do it:

  • Create a new container hdd from Ubuntu docker run -it -p 22:1979 -v /mnt/data/backup:/mnt/backup --name hdd --privileged --cap-add=ALL ubuntu:20.04
  • Update packages list: apt update
  • Install tools: apt install -y cryptsetup rsync openssh-server
  • Copy/paste your ssh public key in /root/.ssh/authorized_keys
  • Set PermitRootLogin to yes in /etc/ssh/sshd_config
  • Exit the container exit
  • Save your docker container to a docker image: docker commit hdd hdd

Command to run before a backup:

  • Run your new image docker run -td -v /mnt/data/backup:/mnt/backup --name hdd --privileged --cap-add=ALL hdd
  • Decrypt drive docker exec -it hdd cryptsetup luksOpen /dev/sda1 hdd
  • Mount drive docker exec hdd mount -t ext4 /dev/mapper/hdd /mnt/backup
  • Find the container IP: docker inspect hdd | grep 'IPAddress'

To do the backup copy:
rsync -azv -e 'ssh -A -J your_user@ip_of_hass_os' /path_to_local_files_to_backup/ root@ip_of_docker_container:/mnt/backup

When your copy is done, close the drive to keep it secure:

  • docker exec hdd umount /mnt/backup
  • docker exec hdd cryptsetup luksClose hdd

It works but it certainly could be improve. I think we could rsync directly into the docker container with exposing the ssh port of the container. So no need for IP of container and .
Let me know if you have ideas or questions.

Notes on security :

  • The communication is encrypted through SSH and the partition is encrypted by cryptsetup. So if someone stole the drive, he can’t read the data. BUT when you do the copy, someone with access to HassOS could access your data unencrypted ! So do this only on a HassOS installation you trust.
  • I could put an image on Docker Hub to simplify this, but I discourage you to use such a thing to manipulate your data has you don’t know what the image will do.
2

Hi @benoit-cty, interesting and thanks for sharing. I came across your post while I was looking to do something similar:

  1. ssh into a remote server with a luks encrypted ext hdd
  2. luksopen the hdd and mount
  3. rsync to back up files
  4. luksclose and disconnect

Couple of questions for you if I may:
a) Have you looked at smaller/lighter docker images to do this? I feel like Ubuntu is overkill. I’ve been looking but I haven’t (yet) found a docker image that just has bash, ssh, rsync and cryptsetup. Alpine looks promising - there seem to be a few existing images that are close.
b) How are you running all these commands in hass os? As command lines? HA scripts? or a bash script?

3

Sorry for the delay.
I use Ubuntu because I know how to install cryptsetup rsync openssh-server on it. Alpine is often used as small image but it’s a different package manager. Maybe debian-slim is a good solution in between.
I run some command manually and I have a script for the backup: useful_multimedia_scripts/backup_nas_rsync.sh at 449d87708e6c619050a2fab57c773a449f93f54b · benoit-cty/useful_multimedia_scripts · GitHub

4

No worries. I ended up building a container using docker and alpine with all the dependencies I needed for rsync, luks, etc. It works just fine now :slight_smile: Thanks for sharing!

5

Hello,

Nice, would you share how you do it ?

I made a script to set it up : useful_multimedia_scripts/mount_hass_crypt_backup.sh at aee8ec1605fd571c34bfe8200063434bc16c8f5d · benoit-cty/useful_multimedia_scripts · GitHub
So you could simply run, from your local machine:

wget https://github.com/benoit-cty/useful_multimedia_scripts/raw/master/mount_hass_crypt_backup.sh
scp -P 22222 ./mount_hass_crypt_backup.sh root@HOME_ASSISTANT_IP:/tmp
ssh root@HOME_ASSISTANT_IP -p 22222 /tmp/mount_hass_crypt_backup.sh
./backup_nas_rsync.sh