Simpler Encrypted LTO Tape Archives
___ _ _
/ __| (_) _ __ _ __ | | ___ _ _
\__ \ | | | ' \ | '_ \ | | / -_) | '_|
|___/ |_| |_|_|_| | .__/ |_| \___| |_|
|_|
___ _ _
| __| _ _ __ _ _ _ _ _ __ | |_ ___ __| |
| _| | ' \ / _| | '_| | || | | '_ \ | _| / -_) / _` |
|___| |_||_| \__| |_| \_, | | .__/ \__| \___| \__,_|
|__/ |_|
_ _____ ___
| | |_ _| / _ \
| |__ | | | (_) |
|____| |_| \___/
_____
|_ _| __ _ _ __ ___
| | / _` | | '_ \ / -_)
|_| \__,_| | .__/ \___|
|_|
_ _ _
/_\ _ _ __ | |_ (_) __ __ ___ ___
/ _ \ | '_| / _| | ' \ | | \ V / / -_) (_-<
/_/ \_\ |_| \__| |_||_| |_| \_/ \___| /__/
╔─*──*──*──*──*──*──*──*──*──*──*──*──*──*──*──*─╗
║1 ........................................ 1║
║2* ........................................ *2║
║3 ........................................ 3║
║1 ...........Posted: 2024-11-18........... 1║
║2* Tags: sysadmin linux lto backup_archive *2║
║3 ........................................ 3║
║1 ........................................ 1║
╚────────────────────────────────────────────────╝
Simple setup for encrypted backups using LTO6 on Debian. I have an older, very
similar article:
(DIR) Archiving with LTO & zpaq
I've found tapes are just best to write once and forget about it. Trying to do
updates over time is kind of a pain and I've found it unreliable in some ways.
I have an external LTO6 drive.
## Drive-based key encryption, if you want (I don't suggest)
I actually have found this extremely unreliable and frustrating. I suggest just
handling encryption yourself, not through the drive. I believe this is because
of a bug[1] where, basically, you have to avoid `--details` at all costs or
it'll put the drive in a weird state. You can do streaming-based encryption with
GPG or something.
Install from here: https://github.com/scsitape/stenc (do NOT grab what's
available in Debian). Dont' forget to `sudo make install`.
Generate key (max is 256 bits):
```
sudo stenc -g 256 -k /etc/2024-11-lto5.key -kd "November 2024 LTO5 Tape Key"
```
Turn on encryption (you may want to first power cycle [wait for indicators to be
stable on lto bay] and then do this BEFORE you put in the cartridge):
```
% sudo stenc -f /dev/st0 -a 1 -e on -k /etc/tape-stenc-2025-05-11.key
Decrypt mode not specified, using decrypt = on
Changing encryption settings for device /dev/st0...
Success! See system logs for a key change audit log.
```
At this point I noticed the blue encryption indicator lit up on my LTO5 drive.
## Making the archive
Choose between `zstd` (faster) and `xz` (better compression ratio), but both are
built for streams, I think.
```
sudo tar \
--exclude=/home/baudrillard/.bitmonero \
--exclude=/root/.bitmonero \
--exclude=/nix \
--exclude=/snap \
--exclude=/var/cache \
--exclude=/mnt \
--exclude=/tmp \
--exclude=/media \
--exclude=/run \
--exclude=/var/tmp \
--exclude=/lost+found \
--exclude=/sys \
--exclude=/usr/share/ollama/.ollama/models/blobs \
--exclude=/proc \
--exclude=/dev \
--totals --checkpoint=100 --checkpoint-action=dot \
--use-compress-program="zstd" -cvf /dev/st0 /
```
NOte for above: actually to be encrypted may want to do nst0, like this command,
which uses pgp to encrypt, instead of relying on firmware encryption of the
drive (I like using pgp more [make sure key light is off!]):
```
# first the passphrase creation
sudo sh -c 'umask 077; openssl rand -base64 48 > /etc/backup.passphrase'
# now create the archive
sudo sh -c '
tar --totals \
--checkpoint=100 \
--checkpoint-action=dot \
--use-compress-program="zstd" \
-cvf - /media/root/BackupRAID \
| gpg --symmetric --cipher-algo AES256 \
--batch --yes \
--pinentry-mode loopback \
--passphrase-file /etc/backup.passphrase \
| dd of=/dev/nst0 bs=1M status=progress
'
```
This is crazy fast. But if blocking factor is large you'll run out of space
quickly. The solution is to perhaps place a single archive onto the tar.
## Test archive, restore
See status:
```
sudo stenc -f /dev/st0
```
Rewind and list contents:
```
sudo mt -f /dev/nst0 rewind
sudo tar -tvf /dev/nst0 --use-compress-program=zstd
```
### if you used pgp (best imo)
Read test successful with:
```
sudo mt -f /dev/nst0 rewind
sudo dd if=/dev/nst0 bs=64k count=1 | file -
# Expect: "GPG symmetrically encrypted data"
```
and...
```
sudo mt -f /dev/nst0 rewind
sudo dd if=/dev/nst0 bs=1M \
| gpg --decrypt --batch --yes \
--pinentry-mode loopback \
--passphrase-file /etc/backup.passphrase \
| tar --use-compress-program="zstd" -tvf -
```
you can confirm integrity this way:
```
sudo mt -f /dev/nst0 rewind
sudo dd if=/dev/nst0 bs=1M \
| gpg --decrypt --batch --yes \
--pinentry-mode loopback \
--passphrase-file /etc/backup.passphrase \
| tar --use-compress-program="zstd" -tvf - > /dev/null
```
extract...
```
sudo mt -f /dev/nst0 rewind
sudo dd if=/dev/nst0 bs=1M \
| gpg --decrypt --batch --yes \
--pinentry-mode loopback \
--passphrase-file /etc/backup.passphrase \
| sudo tar --use-compress-program="zstd" -xvf -
```
## Tips
* Tapes will like just writing one big file--so don't be afraid to just slap a
highly compressed archive onto there. It might be fun for me to show how to
zpaq to tape, especially incrementally. Or using restic?
* Bigger block sizes and such for larger data
* If you have tape labels you can use a program on your phone like Orca Scan to
keep a tape catalog
## Footnotes
(HTM) [1]: a bug: https://serverfault.com/questions/864580/what-could-cause-a-sense-error-when-setting-lto-encryption