6.7 KiB
| lang | layout | permalink | redirect_from | ref | title | ||
|---|---|---|---|---|---|---|---|
| en | doc | /doc/backup-emergency-restore-v4/ |
|
192 | Emergency backup recovery (v4) |
This page describes how to perform an emergency restore of a backup created on Qubes R4.X (which uses backup format version 4).
The Qubes backup system is designed with emergency disaster recovery in mind. No special Qubes-specific tools are required to access data backed up by Qubes. In the event a Qubes system is unavailable, you can access your data on any GNU/Linux system by following the instructions on this page.
Important: You may wish to store a copy of these instructions with your Qubes backups. All Qubes documentation, including this page, is available in plain text format in the qubes-doc Git repository.
Required scrypt utility
In Qubes 4.X, backups are encrypted and integrity-protected with
scrypt. You will need a copy of this
utility in order to access your data. Since scrypt is not pre-installed on
every GNU/Linux system, it is strongly recommended that you store a copy of it
with your backups. If your distribution has scrypt packaged (e.g., Debian),
you can install the package in the standard way using your distribution's
package manager. Otherwise, you'll need to obtain a compiled binary
(instructions below) or compile the program from source yourself. (Don't forget
to verify signatures first!) Note that
versions of scrypt up to 1.2.0 (inclusive) do not support the -P option for
easier scripting, which means you'll need to enter the passphrase for each file
separately, instead of using echo ... | scrypt.
Here are instructions for obtaining a compiled scrypt binary. This example
uses an RPM-based system (Fedora), but the same general procedure should work on
any GNU/Linux system.
-
If you're not on Qubes 4.X, import and authenticate the Release 4 Signing Key.
[user@restore ~]$ sudo rpm --import qubes-release-4-signing-key.asc -
Download the
scryptRPM.[user@restore ~]$ dnf download scryptOr, if that doesn't work:
[user@restore ~]$ curl -O https://yum.qubes-os.org/r4.0/current/vm/fc28/rpm/scrypt-1.2.1-1.fc28.x86_64.rpm -
Verify the signature on the
scryptRPM.[user@restore ~]$ rpm -K scrypt-*.rpm scrypt-*.rpm: digests signatures OKThe message
digests signatures OKmeans that both the digest (i.e., the output of a hash function) and PGP signature verification were successful. -
Install
rpmdevtools.[user@restore ~]$ sudo dnf install rpmdevtools -
Extract the
scryptbinary from the RPM.[user@restore ~]$ rpmdev-extract scrypt-*.rpm
Emergency recovery instructions
Note: In the following example, the backup file is both encrypted and compressed.
-
(Optional) If you're working with binaries that you saved with your backup, such as
scryptorbzip2, you can make things easier by aliasing those binaries now, e.g.,[user@restore ~]$ alias scrypt="$PWD/scrypt-*/usr/bin/scrypt" [user@restore ~]$ alias bzip2="/home/user/bzip2-*" -
Untar the main backup file.
[user@restore ~]$ tar -i -xvf qubes-backup-2015-06-05T123456 backup-header backup-header.hmac qubes.xml.000.enc vm1/private.img.000.enc vm1/private.img.001.enc vm1/private.img.002.enc vm1/icon.png.000.enc vm1/firewall.xml.000.enc vm1/whitelisted-appmenus.list.000.enc dom0-home/dom0user.000.enc -
Set the backup passphrase environment variable. While this isn't strictly required, it will be handy later and will avoid saving the passphrase in the shell's history.
[user@restore ~]$ read -r backup_pass -
Verify the integrity of
backup-header. For compatibility reasons,backup-header.hmacis an encrypted and integrity protected version ofbackup-header.[user@restore ~]$ set +H [user@restore ~]$ echo "backup-header!$backup_pass" |\ scrypt dec -P backup-header.hmac backup-header.verified && \ diff -qs backup-header backup-header.verified Files backup-header and backup-header.verified are identicalNote: If this command fails, it may be that the backup was tampered with or is in a different format. In the latter case, look inside
backup-headerat theversionfield. If it contains a value other thanversion=4, go to the instructions for that format version: -
Read
backup-header.[user@restore ~]$ cat backup-header version=4 encrypted=True compressed=True compression-filter=gzip hmac-algorithm=scrypt backup-id=20161020T123455-1234 -
Set
backup_idto the value in the last line ofbackup-header. (Note that there is a hyphen inbackup-idin the file, whereas there is an underscore inbackup_idin the variable you're setting.)[user@restore ~]$ backup_id=20161020T123455-1234 -
Choose a qube whose data you wish to restore (in this example,
vm1). Verify the data's integrity, decrypt it, decompress it, and extract it.[user@restore ~]$ find vm1 -name 'private.img.*.enc' | sort -V | while read f_enc; do \ f_dec=${f_enc%.enc}; \ echo "$backup_id!$f_dec!$backup_pass" | scrypt dec -P $f_enc || break; \ done | gzip -d | tar -xv vm1/private.imgIf this pipeline fails, it is likely that the backup is corrupted or has been tampered with.
Note: If your backup was compressed with a program other than
gzip, you must substitute the correct compression program in the command above. This information is contained inbackup-header(see step 5). For example, if your backup is compressed withbzip2, usebzip2 -dinstead ofgzip -din the command above. -
Enter the decrypted directory, mount
private.img, and access your data.[user@restore ~]$ cd vm1/ [user@restore vm1]$ sudo mkdir /mnt/img [user@restore vm1]$ sudo mount -o loop vm1/private.img /mnt/img/ [user@restore vm1]$ cat /mnt/img/home/user/your_data.txt This data has been successfully recovered!
Success! If you wish to recover data from more than one qube in your backup, simply repeat steps 7 and 8 for each additional qube.