Data Management

Organization

I organize my data into RPI data, VPS data, and personal data. My personal data includes a KeepassXC database with all of my authentication, along with other media like videos, art, and music. RPI and VPS data contain the necessary files to run one of the respective servers.

Backup Procedure

The following script uses Rsync to retrieve a copy of my RPI and VPS data from my servers onto my desktop. Then it uses Borg backup to deduplicate and encrypt the latest copy of my data and send it to Vultr Block Storage. Note that Vultr Block Storage is mounted at /mnt/data on the vps, I ssh to the RPI at port 22, and I ssh to the VPS at port 2222.

# Pull a copy of my RPI and VPS data to my desktop
pull() {
    rsync -rave "ssh -p $1" --delete --exclude-from exclude \
        "root@henryhoff.org:/" $2
}

# Push my desktop copy to a new encrypted archive on Vultr Block Storage
push() {
    REPO="ssh://borg@henryhoff.org:2222/mnt/data/${1}"
    NAME="$(date -I)"
    export BORG_PASSPHRASE="$(cat key)"
    borg create -v --stats --progress --compression lz4 $REPO::$NAME $1
    borg prune --list --keep-daily 7 --keep-weekly 4 --keep-monthly 6 $REPO
}

pull 22 rpi
push rpi

pull 2222 vps
push vps

push personal
scp -P 2222 Passwords.kdbx borg@henryhoff.org:/mnt/data/

The following exclude file ignores temporary directories and caches so Rsync only copies necessary data.

/dev
/proc
/sys
/run
/tmp
/var/cache
/home/*/.cache
/var/log
/mnt

The key file is a plain text file containing the passphrase used to encrypt the remote backups. This system ensures that all of my data is available locally and remotely. In order to protect against my desktop being compromised, I could occasionally boot into a USB drive and backup my files to an offline drive.

Reproducible Desktop Configuration

I use a bare git repository separate from the working tree to manage my dotfiles. This way my configuration is reproducible on different computers or in the case of a data failure. Also, some configuration should be treated as code in terms of its complexity, like in the case of vim. The following alias makes it easier for me to interact with the dotfiles repository:

alias config='git --git-dir=$HOME/.config/dotfiles/ --work-tree=$HOME'

Possible Threats + Recovery

Data can be lost due to physical damage, attackers, or being excluded from my Vultr account.

Desktop + RPI data are lost

I sign into my Vultr account with my master password and regain control of the VPS. Then I download my KeepassXC database from Vultr Block Storage and decrypt it with my master password. I download the rest of my data from Vultr Block Storage and decrypt it using passwords from KeepassXC. I reinstate my RPI using the backups I decrypted.

VPS + Block Storage data are lost

I lose RPI data backups but I still have the current RPI data. I reinstate the VPS using the copy on my computer. I initialize and use new encrypted backups on Vultr Block Storage.

RPI or VPS is compromised

Only the compromised server's data is exposed, because the Vultr Block Storage only has an encrypted copy of my data. I lose my backups but keep my desktop's copies of my data. The attacker has control of my domain including the website and email server. The attacker has network access to the other server, so a vulnerability in Borg Backup, SSH, or Wireguard could cause my other server to be compromised. I shut down both servers, reinstate my RPI from a backup, and regenerate keys and certificates. I reinstate both servers from backups and initialize and use new encrypted backups on Vultr Block Storage. I notify everyone who could have been affected that my server had been compromised.

Desktop is compromised

All of my data is exposed except for my KeepassXC database, and the attacker has control of my servers. I disable my domain to reduce the chance of others being affected by social engineering attacks. I contact everyone who may be affected and rotate my authentication in my online accounts. I could have a backup on an offline drive, so I would restore my code and personal data.