backstage2

"Plug-in harddisk, start backup and wait until completed.""

Machine Setup

• Install Git (2.24.0, 2019-11-04)
  • Select Components
    • Uncheck Additional icons
    • Uncheck Windows Explorer integration
    • Check Git LFS
    • Check Associate .git* configuration files with the default text editor
    • Check Associate .sh files to be run with Bash
    • Uncheck Use a TrueType font in all console windows
    • Uncheck Check daily for Git for Windows updates
  • Choosing the default editor used by Git
    • Select Use the Nano editor by default
  • Adjusting your PATH environment
    • Select Git from the command line and also from 3rd-party software
  • Configuring the line ending conversions
    • Select Checkout as-is, commit as-is
  • Configuring the terminal emulator to use with Git Bash
    • Select Use MinTTY
• Install VeraCrypt (1.24-Hotfix1, 2019-10-27)
• Install Macrium Reflect 7 - Free Edition (7.2.4539, 2019-11-18)

Installation and Removal

All described commands are being executed from a git-bash for Windows (not elevated).

Install

# Clone _this repository_
git clone https://github.com/fbau3r/backstage.git "$ALLUSERSPROFILE/backstage2"

# Init machine configuration from a git-bash
$ALLUSERSPROFILE/backstage2/init-machine.sh

Upgrade

# Pull repository
(cd "$ALLUSERSPROFILE/backstage2" && git pull)

Uninstall

# Remove _this repository_ from machine
([[ -d "$ALLUSERSPROFILE/backstage2" ]] && rm -fR "$ALLUSERSPROFILE/backstage2")

# Review if you want to keep machine configuration
([[ -d "${USERPROFILE}/.backstage" ]] && explorer /select,"$(cygpath -w "${USERPROFILE}/.backstage")")

Run

To run the backup, plug-in the external disk with encrypted file container (setup see below) and run backup-machine.cmd as Administrator (elevated mode):

backup-machine.cmd

Disk setup

Setup external disk

1. Format disk with NTFS filesystem
2. In Disk Properties:
   1. Set the disk name to be Backup Container NN (where NN is replaced by a number)
   2. Uncheck disk indexing
   3. Add Group Everyone with permission Full control and remove any other groups or users (recursively)
3. Copy directory contents of assets/external-disk/* to disk
4. Change LABEL to Backup Container NN in autorun.ini
5. Hide autorun.* files

Create encrypted file container

1. Start VeraCrypt in elevated mode (at the end of formatting an NTFS disk, elevation will be needed and if the elevation prompt times out, formatting fails)
2. Click Button Create Volume
3. Choose Create an encrypted file container
4. Click Button Next
5. Choose Standard VeraCrypt volume
6. Click Button Next
7. Choose Volume Location on the external disk (e.g. E:\my-backup-name.vc)
8. Click Button Next
9. Leave Encryption Options as they are
10. Click Button Next
11. Choose Volume Size to hold the future backup (rule of thumb: current disk usage + ~25% potential growth space)
12. Click Button Next
13. Leave Password empty
14. Check Use keyfiles
15. Click Button Keyfiles...
    1. [Optional] If you don't have a keyfile yet, generate a new keyfile by clicking Button Generate Random Keyfile... and following the procedure in that dialog
16. Click Button Add Files...
17. Browse for Keyfile -IMPORTANT- Please backup this keyfile separately somewhere else! If this key is lost, the encrypted backup will be lost too! See chapter Backup Keyfile.
18. Click Button OK
19. Click Button Next
20. Choose Volume Format NTFS and collect some randomness
21. Click Button Format
22. Wait for the formatting to finish, this may take quite some time...
23. Click Button OK in the success message dialog
24. Click Button Exit to exit the wizard

Setup encrypted file container

1. Mount the encrypted file container
2. In Disk Properties:
   1. Set the disk name to be Backup Disk
   2. Uncheck disk indexing
   3. Add Group Everyone with permission Full control and remove any other groups or users (recursively)
3. Copy directory contents of assets/encrypted-disk/* to disk
4. Hide autorun.* files

Backup Keyfile

-IMPORTANT- Please backup this keyfile separately somewhere else! If this key is lost, the encrypted backup will be lost too! See chapter Backup Keyfile.

The backups are inside an encrypted file container to secure the transport of the external disk and to allow for multiple backups of different persons on one external disk, with everyone reading only their own data.

To backup the keyfile, the key file is put in a 7-Zip archive which is then AES-256 encrypted and protected with a password. That protected key is placed on another machine than the backup machine.

For recovery purposes you will need the external disk and the password protected backup of the keyfile.

1. Create a sha256sum file from the keyfile:
   1. Open bash
   2. Change to directory of keyfile (e.g. cd ~/.backstage)
   3. Create file (e.g. sha256sum 8d0b-fedbb02e8e70.key > 8d0b-fedbb02e8e70.key.sha256sum)
2. Create encrypted, password protected archive
   1. Open 7-Zip
   2. Change to directory of keyfile (e.g. ~/.backstage)
   3. Select key file and checksum file (e.g. 8d0b-fedbb02e8e70.key and 8d0b-fedbb02e8e70.key.sha256sum)
   4. Click Button Add
   5. Choose Archive name (e.g. 8d0b-fedbb02e8e70.7z)
   6. Ensure Archive format 7z
   7. In Encryption group
      1. Enter password to protect your key with
      2. Choose Encryption method AES-256
      3. Check Encrypt file names
   8. Click button OK
3. Put the encrypted, password protected archive to a location which is not the backed-up-disk and not the external disk (e.g. on your NAS or on another local machine)