Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

3Apr/160

Pi: Geo-location backup with BtSync

Building a geo-location backup for your NAS is a good idea! To spread the risk over two or more locations increases your backup value a lot. Most people confuse redundancy and backup. If you only have a USB-disk backup of your NAS it only protects you against hardware failure. If there is a fire or a break in you will still lose your data. A lot of people take a USB-disk to a second location, like their office, to mitigate this problem. But to be honest how often will that backup be done if you have to remember to bring the disk back and forth? We want automatic backups to our offsite location, in this case my office. So we are going to build a BitTorrent Sync "satellite"

Background

Most of my off-site backups are in the cloud. But putting all data there will cost to much. Media files and all the video recorded with my GoPro will just take up to much space. On top of that everyone have some private data that they don't want to upload into the cloud for different reasons. Another point is that large amount of data will take a long time to recover if you need to download it all over the internet. With this solution you can just pickup your hard drive at the other location and do a local copy to restore.

This is exactly why I did this build. The off-site backup from my San Francisco apartment is currently going to my apartment in Sweden. If I need to recover it will take to long, and cost to much, flying back to get it. Since we have a high speed internet connection at the office, without a data cap, just sitting idle during the night I decided to build a btsync client that can download and retain a complete copy of my NAS. I already have a btsync server running on an Odroid in the apartment, you can read more about that build in the Raspberry Pi: BitTorrent Sync article.

Challenges

There were a few design challenges with this build:

  1. Security - What if someone steals this contraption from my desk? I want my files to be secure if that would happen so I need to encrypt the usb disk. At the same time as I want encryption I want to be able to grab the disk and attach it to any of my machines in case of recovery. To make sure I could use the encrypted drive on all my machines I opted for compiling Truecrypt 7.1a for the arm processor.
  2. Access - To make the security work I can not save the encryption key on the Pi since it would be easy enough to extract if it was stolen. So when power is connected and the device boots up I need to SSH into it and mount the drive with the encryption key. We use DHCP at the office so it will not always get the same IP. Since I have access to the DHCP server I could check it there or scan the network for it but I want this to be easy. To sort this out I added an 20x4 LCD display to the PI to display the IP-address so it will be easy to SSH into it.
  3. Progress - I also wanted status and progress information easily accessable without having to login to the webui all the time. Since I already have the LCD display connected I want this information there as well.

So the part list for this build came out to this:

  • Banana Pi - I went with this choise due to it's Gbit network which makes a huge difference with BitTorrent Sync.
  • 20x4 LCD - Got a cheap one for $10 on Ebay with an I2C backpack allready soldered on.
  • Samsung M3 4TB USB-disk - My standard backup disk already encrypted with Truecrypt.
  • OEM Powered USB-hub - To power the USB-disk.

Basic install

First we need to setup the Pi of your choice, in my case a Banana Pi. Here is a quick rundown on how to getting the Banana Pi up and running. As soon as we have that up and running we can SSH into it and start installing the software. We will start with Truecrypt...

Install Truecrypt

I'm not even going to address the discussions about Truecrypt not being safe or not since the development was disscontinoued. There have been security reviews that haven't really revield any major security concerns. It's cross platform and secure enough for this implementation. If our night time janitor can break into this he should stop being the night time janitor and start working for me instead! Only download the Truecrypt from the Gibson Research Sorporation,  there are a lot of repositories floating around out there that most definantly have added security issues added to them. Before we can download the Truecrypt source and compile it we need to get the pkcs headers on the Pi.

mkdir -p /usr/include/pkcs
cd /usr/include/pkcs
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11.h
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11f.h
wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11t.h

Now we it's time to download the Truecrypt source. We have to go with the 7.1a version which is the last one that could do both read and write. The last version is only for migration from Truecrypt to outher full disk encryption suites.

cd /tmp
wget https://www.grc.com/misc/truecrypt/TrueCrypt%207.1a%20Source.tar.gz
wget http://prdownloads.sourceforge.net/wxwindows/wxWidgets-2.8.12.tar.gz
tar -xvf TrueCrypt\ 7.1a\ Source.tar.gz
tar -xvf wxWidgets-2.8.12.tar.gz

We also need some additional packages before we can start the build.

apt-get install libfuse-dev pkg-config
apt-get install libfuse-dev pkg-config
export PKCS11_INC=/usr/include/pkcs

Now we can start the actual build. This will take 10-15 minutes depending on the hardware you are running. I have tested this on several arm based systems and only ran into issues on the Banana Pi in fact. The build failed for no apparent reason, just rebooted the machine and built it again and it have worked just fine since then.

cd truecrypt-7.1a-source
make NOGUI=1 WX_ROOT=/tmp/wxWidgets-2.8.12 wxbuild
make NOGUI=1 WX_STATIC=1

Since we are running this entire setup from the shell we don't need the UI, that's why we build it with NOGUI=1.

Storage

The first issue I ran into was that the Banana Pi was unable to power my usb-drive. The Samsung M3 4Tb is a beast! When you take it apart it's much thicker than a regular 2.5'' drive and I suspect that it's only just that my netbook are able to power it. I sorted this out with a really cheap usb-hub. I was hoping that that would power my Banana Pi as well but I went to cheap! As soon as the disk spun up on access the whole package just died. So I had to go with two power cords after all. As I mentioned my USB-disk is already setup with a Truecrypt volume which in turn is setup with NTFS. We need to be able to read and write that so once again we need additional packages.

apt-get install ntfs-3g

Now we can mount the USB-disk with Truecrypt so we can access the file system.

mkdir /mnt/tc_disk
truecrypt /dev/sda1 /mnt/tc_disk

Truecrypt will prompt you for the password and once it's typed in it will ask a couple of questions, if you have regular Truecrypt volume on there just press Enter for each question. Verify that you can read and write to the disk by creating and deleting directories and/or text files with nano.

Install BitTorrent Sync

When we have access to the disk we can install the btsync daemon.

apt-get install btsync

More in depth instruction on how to install btsync on a Pi can be found in my Raspberry Pi: BitTorrent Sync article. Since this is dependent on the manual mounting of the Truecrypt volume we have to run it as root. Since we login over SSH and mount the disk after every restart, for security reasons, it will need to run as root since we mounted the drive as root. There might be workarounds for this but that is outside the scope of this article.

We also need to point the "Start path for the web interface folder browser:" to the mount point of the Truecrypt volume: /mnt/tc_disk

When the installation is complete we can access the web interface, I always configure it to use SSL: https://{pi ip-address}:8888

Set the username and password and create a new identity for the box. The premium feature of adding several nodes to the same identity is not really needed in this setup. Since I only want this box to have read-only copies of my primary NAS. When this is done I share the folders on my primary node and copy/paste the code into the "manually add folder" function on this box. I recommend that you let it all sync on the local LAN before you move the box to your secondary location, it will take a while for all that data to sync over to the new node.

Since all my files was already on the usb-disk I tried to make it sync and realize that the files was already there. It failed totally, after a couple of days it stated that all files where in sync but the number of files in the two UI's didn't match up at all. So I ended up deleting everything of the drive and doing a fresh sync.

To prevent btsync to try to sync if the disc is not mounted we also need to disable the autostart of the daemon. Since I'm running Bananian on this box it's a bit different from what you would do on a Raspian based system.

update-rc.d -f btsync remove

So now I have to manually start the daemon after I mounted the disk with this command:

service btsync start

LCD Display

So for this build I used an cheap OEM 20 characters X 4 lines LCD display with an I2C backpack. That means that it's really easy to hook it up to the Pi and use it. Many of the OEM LCD panels out there more or less works the same and can easily be used with the same example code. First we need to hook it up to our Pi.

20x4 LCD Panel

Front end of the 20x4 LCD panel

First we need to connect it properly to the Pi. I use simple "pop on" cables bought at my local electronics dealer.

20x4 LCD Panel Pinout

20x4 LCD Panel Pinout

The pinout is pretty easy on this, from the top:

  • GND: Connect to ground on the Pi GPIO.
  • VCC: Connect to 5v on the Pi GPIO.
  • SDA: Connect to SDA on the Pi GPIO.
  • SCL: Connect to SCL on the Pi GPIO.

Just Google your Pi version and the word pinout and you will get a schematic like the one below that will show you exactly how to connect your LCD.

Banana Pi Pinout

Banana Pi Pinout

To be able to use the LCD we first need to enable I2C on the Pi. This is done from raspi-config if your running Raspbian or in this case bananian-config. Go in under Advanced and enable I2C. Then we also need some additional software for this to work.

apt-get install i2c-tools

This will install a tool that can be used to see that the screen connected properly. If you run i2cdetect -y 1 you should get a readout with something more then just -- for each value. Note: The Banana Pi main GPIO is -y 2. To keep this short I will not go into more detail on this, if you run into issues there are several good guides out there outlining this in much more detail.

The script

Update 2016-04-05: Wrote a a more detailed post about the script - Pi: Python script for BtSync status LCD

To be able to display all this information I wrote a python script updating the LCD panel. For the basic LCD functionality I forked a python script written by Matt Hawkins @ Raspberry Pi Spy. It gave me all the basic functionallity to be able to run the LCD part of this script. Then I wrote a few functions for collection the information to display. To be able to interact with the LCD we need some additional packages installed. The script also does rest requests to the UI of BtSync to be able to display progress information as well as the upload and download speed.

apt-get install python-dev libxml2-dev libxslt1-dev zlib1g-dev python-smbus
BtSync LCD Display

BtSync LCD Display

So the script outputs the IP-address so I always no what IP i can reach it on for the BtSync UI or SSH. Second line tells me if the Truecrypt volume is mounted (TCM) and it the BtSync daemon is running. Third line contains the number of files (F) currently synced and the number of files queued for download (FD). Last line show the current download (D) and upload (U) speeds in Mb/s.

The script can be executed from the console for testing with python lcd_info.py and is very fault tolerant at this point. The script will check the current IP-address, Truecrypt mount and BtSync daemon status every 15 seconds. It will also check the current number of files and upload/download speeds every 3 seconds. Since the script needs access to the BitTorrent Sync web UI it will need the credentials. For security the script get's this information from a json file located on the encrypted Truecrypt volume. So if anyone rips the power and steals the build they will not get my BtSync password from my script at least. You can download lcd_info.py from my Github.

To autostart the script on boot, which is a good idea since we want the IP to SSH in and start the other services, just nano /etc/rc.local and add:

python /root/lcd_info.py &

Conclusion

So far I'm really happy with this build! It has been a fun project with a real everyday application that I really need. This is really cheap geo-location backup and it will make sure that your backup is always up to date. I will probably write more about this project in the feature since it's hard to keep this short and to the point while still covering each part in depth. Please let me know in the comments what you want to know more about and I can do more in depth posts on those topics. I suspect that most of you would like a post on the script?

Comments (0) Trackbacks (2)

    Leave a Reply