Dropping Dropbox Or How I Learned To Hate The Cloud

Well not entirely, but I’ve been switching backups and data away from Dropbox for a while, given what Edward Snowden said, and the fact that Condi ‘Spy on you’ Rice is now on the board. Problem with Dropbox is many-fold, like iCloud and others there isn’t any encryption, and you just have to trust that Apple, Google, Dropbox, Microsoft or others won’t rifle through your stuff.

This was demonstrated most dramatically with the hacked nude photos, 4chan as ever staying classy like with the nasty #gamergate. Allegedly some of the photos had been deleted, but had been restored by analysing the disk space for the files, an act that would be nigh-on impossible if the data was encrypted. Hacking is still an issue with any online service, but if you’re not transmitting passwords nor making it easy for disgruntled employees or NSA to go through your stuff, that’s a big plus.

Hence wanting to switch to SpiderOak who encrypt their storage space and don’t have keys to it for some of my backups, but big problem: not many apps or plugins support it, especially not BackWPup WordPress Plugin which I use.

I worked out how though, be warned this is pretty geeky and meant to be for those who have Virtual Personal Servers (VPSes) and have root/shell access to your system – if you don’t know what that means, then I can’t help you. Also I’m on Ubuntu, I don’t think any of this differs on other Linux flavours, but it might be good to keep that in mind.

Also I suspect any backup plugin or script which can backup to a folder on your server – which is any of them I bet – could be used, not just BackWPUp.

How to use SpiderOak with BackWPUp on a VPS (I am assuming you already have an account already, if not sign up with my referral link and we’ll both get an extra 1Gb)

  1. Make a folder in the root of your WordPress install, or any subdirectory inside that directory. Chmod the directory with 770 permissions so it’s not public – 700 kicks up an error, and so does the standard 750 so I guess group write is needed?  Name the folder something not easily guessable just in case. Also you might want to disable directory listing if you haven’t already, it’s a good security measure.
  2. Goto your job in BackWPup and unclick Dropbox and then set it to backup to your new folder. I put in the full path, so /var/www/…
  3. Install SpiderOak –headless with dpkg or repository (on Ubuntu you have to manually download the .deb file and install it’s not in the standard repositories, you can do that with wget). This is relatively painless.
  4. ‘SpiderOak –setup=-‘ to link your server to your account
  5. ‘/sbin/start-stop-daemon -b -x /usr/bin/SpiderOak -S — —headless’ is the phrase that pays – for startup of SpiderOak in terminal. Took me hours to find that. SpiderOak has REALLY crap documentation, but the inline –help is good. The OSX client sucks arse too, actually…but you don’t need that many bells and whistles for backups.
  6. Don’t forget to add that line to your cron for when you reboot, I have it as a @reboot statement as detailed here.
  7. ‘SpiderOak –include-dir=’ the folder you created – this needs to be the full path, so /var/www/… etc.
  8. Run your BackWPUp job, and look to see if it appears in your client. Look in Devices – should be one with the name you gave it during the setup.
  9. Profit. Well maybe not, but be happy that Dropbox can’t spy on your shit.

If there are any problems, I’ve found they are usually to do with ownership of files, and/or permissions. Check that the user you are running your webserver in has permissions to write to your directory – a good way to do this is to try and save a Permalink in Settings, as WordPress needs to write to .htaccess (or equivalent?) to do that. If there is an error one solution is to have a special ‘web’ group ownership on your web directories, or change the user to be the correct one, with 644 permission for files and 750 for directories. It’s too involved to detail here but search on making chown and chmod changes recursively, there are useful find statements that change permissions according to types of file. Try and avoid setting anything to 777 – it’s really dangerous, but you might need to do that for a few seconds to test something. Always change it back, though.

Also SpiderOak sometimes doesn’t start immediately, or complain it’s already running, so ‘sudo killall SpiderOak’ and restart the server (#5 above). Also you might want to test it using SpiderOak –batchmode – that just runs once. If any of the terminal commands error, try adding sudo, could be a permission issue.

If for whatever reason you have to stay with Dropbox (your account is paid for until the end of the world, work insists, the apps or scripts you use only work with it, etc) or you are super paranoid then there is a partial solution – encrypt your backups.

You can do this with OpenSSL – yeah I know Heartbleed but you updated your server/bash right? If not, go do that now since it’s so wide open some zombies with ebola have probably wandered in while you were reading this.

Okay back? Well this works with scripts, not BackWPUp at the moment (I have asked them to add encryption and/or SpiderOak support, but obviously some NSA embedded gook has stalled them since it’s 2 months later and no answer) but you can encrypt ANY file with OpenSSL. It’s detailed better over here but if the site goes down here are the basics:

Encrypt a file:
openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc

Decrypt a file:
openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt

Now I personally don’t like making it easy for hackers and spooks, so I don’t have files with .enc on the end, just have them look like normal files. But if you’re the sort that might forget, well you can do that.  Choose a long password though, it doesn’t have to be all the fancy characters or complete gibberish, just not be a single word you’d find in the dictionary. Remember XKCD, it’s all about the length, yes I’m a password size queen!

Now here’s the science – you can pipe that after a tar command using dd, so:

tar -cvpzf  yourtarfile | openssl enc -aes-256-cbc -salt -k password | dd of=”yourencryptedfile

And likewise, rather than two steps, you can do a one line decompress and decrypt:

dd if=yourencryptedfile | openssl aes-256-cbc -d -k password | tar xvpzf – -C youroutputdirectory

If you liked these tips, and want to sign up with SpiderOak, sign up with my referral link and we’ll both get an extra 1Gb space. No they aren’t paying me…

Be First to Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.