i / gopher.someodd.zip 70

i / gopher.someodd.zip 70
iSimpler Encrypted LTO Tape Archives / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i ___ _ _ / gopher.someodd.zip 70
i / __| (_) _ __ _ __ | | ___ _ _ / gopher.someodd.zip 70
i \__ \ | | | ' \ | '_ \ | | / -_) | '_| / gopher.someodd.zip 70
i |___/ |_| |_|_|_| | .__/ |_| \___| |_| / gopher.someodd.zip 70
i |_| / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i ___ _ _ / gopher.someodd.zip 70
i | __| _ _ __ _ _ _ _ _ __ | |_ ___ __| | / gopher.someodd.zip 70
i | _| | ' \ / _| | '_| | || | | '_ \ | _| / -_) / _` | / gopher.someodd.zip 70
i |___| |_||_| \__| |_| \_, | | .__/ \__| \___| \__,_| / gopher.someodd.zip 70
i |__/ |_| / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i _ _____ ___ / gopher.someodd.zip 70
i | | |_ _| / _ \ / gopher.someodd.zip 70
i | |__ | | | (_) | / gopher.someodd.zip 70
i |____| |_| \___/ / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i _____ / gopher.someodd.zip 70
i |_ _| __ _ _ __ ___ / gopher.someodd.zip 70
i | | / _` | | '_ \ / -_) / gopher.someodd.zip 70
i |_| \__,_| | .__/ \___| / gopher.someodd.zip 70
i |_| / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i _ _ _ / gopher.someodd.zip 70
i /_\ _ _ __ | |_ (_) __ __ ___ ___ / gopher.someodd.zip 70
i / _ \ | '_| / _| | ' \ | | \ V / / -_) (_-< / gopher.someodd.zip 70
i /_/ \_\ |_| \__| |_||_| |_| \_/ \___| /__/ / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i╔─*──*──*──*──*──*──*──*──*──*──*──*──*──*──*──*─╗ / gopher.someodd.zip 70
i║1 ........................................ 1║ / gopher.someodd.zip 70
i║2* ........................................ *2║ / gopher.someodd.zip 70
i║3 ........................................ 3║ / gopher.someodd.zip 70
i║1 ...........Posted: 2024-11-18........... 1║ / gopher.someodd.zip 70
i║2* Tags: sysadmin linux lto backup_archive *2║ / gopher.someodd.zip 70
i║3 ........................................ 3║ / gopher.someodd.zip 70
i║1 ........................................ 1║ / gopher.someodd.zip 70
i╚────────────────────────────────────────────────╝ / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iSimple setup for encrypted backups using LTO6 on Debian. I have an older, very / gopher.someodd.zip 70
isimilar article: / gopher.someodd.zip 70
i / gopher.someodd.zip 70
1Archiving with LTO & zpaq /phlog/archive_lto_zpaq.gopher.txt gopher.someodd.zip 70
i / gopher.someodd.zip 70
iI've found tapes are just best to write once and forget about it. Trying to do / gopher.someodd.zip 70
iupdates over time is kind of a pain and I've found it unreliable in some ways. / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iI have an external LTO6 drive. / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i## Drive-based key encryption, if you want (I don't suggest) / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iI actually have found this extremely unreliable and frustrating. I suggest just / gopher.someodd.zip 70
ihandling encryption yourself, not through the drive. I believe this is because / gopher.someodd.zip 70
iof a bug[1] where, basically, you have to avoid `--details` at all costs or / gopher.someodd.zip 70
iit'll put the drive in a weird state. You can do streaming-based encryption with / gopher.someodd.zip 70
iGPG or something. / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iInstall from here: https://github.com/scsitape/stenc (do NOT grab what's / gopher.someodd.zip 70
iavailable in Debian). Dont' forget to `sudo make install`. / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iGenerate key (max is 256 bits): / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
isudo stenc -g 256 -k /etc/2024-11-lto5.key -kd "November 2024 LTO5 Tape Key" / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iTurn on encryption (you may want to first power cycle [wait for indicators to be / gopher.someodd.zip 70
istable on lto bay] and then do this BEFORE you put in the cartridge): / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i % sudo stenc -f /dev/st0 -a 1 -e on -k /etc/tape-stenc-2025-05-11.key / gopher.someodd.zip 70
iDecrypt mode not specified, using decrypt = on / gopher.someodd.zip 70
iChanging encryption settings for device /dev/st0... / gopher.someodd.zip 70
iSuccess! See system logs for a key change audit log. / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iAt this point I noticed the blue encryption indicator lit up on my LTO5 drive. / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i## Making the archive / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iChoose between `zstd` (faster) and `xz` (better compression ratio), but both are / gopher.someodd.zip 70
ibuilt for streams, I think. / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
isudo tar \ / gopher.someodd.zip 70
i --exclude=/home/baudrillard/.bitmonero \ / gopher.someodd.zip 70
i --exclude=/root/.bitmonero \ / gopher.someodd.zip 70
i --exclude=/nix \ / gopher.someodd.zip 70
i --exclude=/snap \ / gopher.someodd.zip 70
i --exclude=/var/cache \ / gopher.someodd.zip 70
i --exclude=/mnt \ / gopher.someodd.zip 70
i --exclude=/tmp \ / gopher.someodd.zip 70
i --exclude=/media \ / gopher.someodd.zip 70
i --exclude=/run \ / gopher.someodd.zip 70
i --exclude=/var/tmp \ / gopher.someodd.zip 70
i --exclude=/lost+found \ / gopher.someodd.zip 70
i --exclude=/sys \ / gopher.someodd.zip 70
i --exclude=/usr/share/ollama/.ollama/models/blobs \ / gopher.someodd.zip 70
i --exclude=/proc \ / gopher.someodd.zip 70
i --exclude=/dev \ / gopher.someodd.zip 70
i --totals --checkpoint=100 --checkpoint-action=dot \ / gopher.someodd.zip 70
i --use-compress-program="zstd" -cvf /dev/st0 / / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iNOte for above: actually to be encrypted may want to do nst0, like this command, / gopher.someodd.zip 70
iwhich uses pgp to encrypt, instead of relying on firmware encryption of the / gopher.someodd.zip 70
idrive (I like using pgp more [make sure key light is off!]): / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i# first the passphrase creation / gopher.someodd.zip 70
isudo sh -c 'umask 077; openssl rand -base64 48 > /etc/backup.passphrase' / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i# now create the archive / gopher.someodd.zip 70
isudo sh -c ' / gopher.someodd.zip 70
i tar --totals \ / gopher.someodd.zip 70
i --checkpoint=100 \ / gopher.someodd.zip 70
i --checkpoint-action=dot \ / gopher.someodd.zip 70
i --use-compress-program="zstd" \ / gopher.someodd.zip 70
i -cvf - /media/root/BackupRAID \ / gopher.someodd.zip 70
i | gpg --symmetric --cipher-algo AES256 \ / gopher.someodd.zip 70
i --batch --yes \ / gopher.someodd.zip 70
i --pinentry-mode loopback \ / gopher.someodd.zip 70
i --passphrase-file /etc/backup.passphrase \ / gopher.someodd.zip 70
i | dd of=/dev/nst0 bs=1M status=progress / gopher.someodd.zip 70
i' / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iThis is crazy fast. But if blocking factor is large you'll run out of space / gopher.someodd.zip 70
iquickly. The solution is to perhaps place a single archive onto the tar. / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i## Test archive, restore / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iSee status: / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
isudo stenc -f /dev/st0 / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iRewind and list contents: / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
isudo mt -f /dev/nst0 rewind / gopher.someodd.zip 70
isudo tar -tvf /dev/nst0 --use-compress-program=zstd / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i### if you used pgp (best imo) / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iRead test successful with: / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
isudo mt -f /dev/nst0 rewind / gopher.someodd.zip 70
isudo dd if=/dev/nst0 bs=64k count=1 | file - / gopher.someodd.zip 70
i# Expect: "GPG symmetrically encrypted data" / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iand... / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
isudo mt -f /dev/nst0 rewind / gopher.someodd.zip 70
isudo dd if=/dev/nst0 bs=1M \ / gopher.someodd.zip 70
i| gpg --decrypt --batch --yes \ / gopher.someodd.zip 70
i --pinentry-mode loopback \ / gopher.someodd.zip 70
i --passphrase-file /etc/backup.passphrase \ / gopher.someodd.zip 70
i| tar --use-compress-program="zstd" -tvf - / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iyou can confirm integrity this way: / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
isudo mt -f /dev/nst0 rewind / gopher.someodd.zip 70
isudo dd if=/dev/nst0 bs=1M \ / gopher.someodd.zip 70
i| gpg --decrypt --batch --yes \ / gopher.someodd.zip 70
i --pinentry-mode loopback \ / gopher.someodd.zip 70
i --passphrase-file /etc/backup.passphrase \ / gopher.someodd.zip 70
i| tar --use-compress-program="zstd" -tvf - > /dev/null / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
iextract... / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
isudo mt -f /dev/nst0 rewind / gopher.someodd.zip 70
isudo dd if=/dev/nst0 bs=1M \ / gopher.someodd.zip 70
i| gpg --decrypt --batch --yes \ / gopher.someodd.zip 70
i --pinentry-mode loopback \ / gopher.someodd.zip 70
i --passphrase-file /etc/backup.passphrase \ / gopher.someodd.zip 70
i| sudo tar --use-compress-program="zstd" -xvf - / gopher.someodd.zip 70
i``` / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i## Tips / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i* Tapes will like just writing one big file--so don't be afraid to just slap a / gopher.someodd.zip 70
i highly compressed archive onto there. It might be fun for me to show how to / gopher.someodd.zip 70
i zpaq to tape, especially incrementally. Or using restic? / gopher.someodd.zip 70
i* Bigger block sizes and such for larger data / gopher.someodd.zip 70
i* If you have tape labels you can use a program on your phone like Orca Scan to / gopher.someodd.zip 70
i keep a tape catalog / gopher.someodd.zip 70
i / gopher.someodd.zip 70
i## Footnotes / gopher.someodd.zip 70
i / gopher.someodd.zip 70
h[1]: a bug: https://serverfault.com/questions/864580/what-could-cause-a-sense-error-when-setting-lto-encryption URL:https://serverfault.com/questions/864580/what-could-cause-a-sense-error-when-setting-lto-encryption gopher.someodd.zip 70