M-Disc Quick Backup (Verbatim Drive)

Quick runbook for M-Disc cold storage backup when Verbatim USB drive is connected.

1. Pre-Flight Checklist

  • Verbatim external USB DVD/BD drive connected

  • Blank M-Disc (DVD-R or BD-R) ready

  • age key accessible (~/.config/age/key.txt)

  • Sufficient disk space for staging (~25GB for full backup)

2. Phase 1: Connect Drive

2.1. 1.1 Connect USB Drive

Plug in Verbatim USB drive. Wait 5 seconds.

2.2. 1.2 Verify Detection

wodim --devices
Expected Output
wodim: Overview of accessible drives (1 found) :
-------------------------------------------------------------------------
 0  dev='/dev/sr0'      rwrw-- : 'ASUS' 'BW-16D1HT'
-------------------------------------------------------------------------

If no device found:

# Check USB connection
lsusb | grep -i verbatim

# Check block device
lsblk | grep sr

# Check kernel messages
dmesg | tail -20 | grep -i "sr0\|cdrom\|dvd"

3. Phase 2: Create Backup Archives

3.1. 2.1 Create Staging Directory

BACKUP_DATE=$(date +%Y%m%d)
STAGING=~/cold-storage-${BACKUP_DATE}
mkdir -p ${STAGING}
cd ${STAGING}

3.2. 2.2 Create P0-CRITICAL Archive (Keys Only)

tar -cvf p0-critical.tar \
    ~/.gnupg/ \
    ~/.ssh/id_* \
    ~/.config/age/ \
    ~/.secrets/.metadata/keys/ \
    ~/.password-store/ \
    ~/.local/share/gopass/stores/v3/

# Encrypt with age
age -e -i ~/.config/age/key.txt -o P0-CRITICAL-${BACKUP_DATE}.tar.age p0-critical.tar

# Verify
ls -lh P0-CRITICAL-${BACKUP_DATE}.tar.age

3.3. 2.3 Create Full Backup Archive

# Excludes: venv, node_modules, cache, temp
tar --exclude='node_modules' \
    --exclude='__pycache__' \
    --exclude='.venv' \
    --exclude='venv' \
    --exclude='.cache' \
    --exclude='oil' \
    --exclude='.Trash-*' \
    -cvf full-backup.tar \
    ~/.secrets \
    ~/.gnupg \
    ~/.password-store \
    ~/.local/share/gopass/stores/v3 \
    ~/.ssh \
    ~/.pki \
    ~/.config \
    ~/.ansible \
    ~/.claude \
    ~/.terraform.d \
    ~/.mozilla \
    ~/atelier \
    ~/Documents \
    ~/Pictures \
    ~/bin \
    ~/.zsh_history \
    ~/.bash_history

# Encrypt with age
age -e -i ~/.config/age/key.txt -o FULL-BACKUP-${BACKUP_DATE}.tar.age full-backup.tar

# Verify
ls -lh FULL-BACKUP-${BACKUP_DATE}.tar.age

4. Phase 3: Create Recovery Files

4.1. 3.1 Create Recovery Instructions

cat > RECOVERY-README.txt << 'EOF'
╔══════════════════════════════════════════════════════════════════════════════╗
║                     COLD STORAGE ARCHIVE - RECOVERY                          ║
╠══════════════════════════════════════════════════════════════════════════════╣
║                                                                              ║
║  CONTENTS:                                                                   ║
║  - P0-CRITICAL-*.tar.age   Keys and secrets (RESTORE FIRST)                 ║
║  - FULL-BACKUP-*.tar.age   Complete archive                                 ║
║                                                                              ║
║  DECRYPT:                                                                    ║
║    age -d -i ~/.config/age/key.txt FILE.age > FILE.tar                      ║
║    tar -xvf FILE.tar                                                         ║
║                                                                              ║
║  RESTORE ORDER:                                                              ║
║    1. Restore P0-CRITICAL first (you need keys to decrypt everything)       ║
║    2. Restore FULL-BACKUP                                                   ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
EOF

4.2. 3.2 Create Checksums

sha256sum *.tar.age > SHA256SUMS.txt
cat SHA256SUMS.txt

5. Phase 4: Burn to M-Disc

5.1. 4.1 Create ISO

genisoimage -V "BACKUP-$(date +%Y-%m-%d)" -J -r \
    -o COLD-STORAGE-${BACKUP_DATE}.iso \
    *.tar.age RECOVERY-README.txt SHA256SUMS.txt

5.2. 4.2 Insert Blank M-Disc

Insert blank M-Disc into Verbatim drive. Wait for system to recognize.

5.3. 4.3 Burn ISO

# Low speed for reliability
wodim -v dev=/dev/sr0 speed=4 COLD-STORAGE-${BACKUP_DATE}.iso

Wait for burn to complete. Do NOT interrupt.

6. Phase 5: Verify

6.1. 5.1 Eject and Re-insert

eject /dev/sr0

Wait 5 seconds. Re-insert disc.

6.2. 5.2 Mount and Verify Checksums

sudo mkdir -p /mnt/cdrom
sudo mount /dev/sr0 /mnt/cdrom

# Verify checksums - MUST match
cd /mnt/cdrom && sha256sum -c SHA256SUMS.txt

# Unmount
cd ~ && sudo umount /mnt/cdrom

6.3. 5.3 Test Decrypt (Optional but Recommended)

# List contents without extracting
age -d -i ~/.config/age/key.txt /mnt/cdrom/P0-CRITICAL-*.tar.age | tar -tvf - | head -20

7. Phase 6: Cleanup

7.1. 6.1 Shred Plaintext

cd ${STAGING}
shred -vzn 3 p0-critical.tar full-backup.tar 2>/dev/null || true
rm -f p0-critical.tar full-backup.tar

7.2. 6.2 Keep or Remove Staging

# Option A: Keep encrypted files for additional copies
ls -la ${STAGING}/

# Option B: Remove everything
# rm -rf ${STAGING}

7.3. 6.3 Eject Drive

eject /dev/sr0

8. Quick Reference

Task Command

Check drive

wodim --devices

Create staging

mkdir ~/cold-storage-$(date +%Y%m%d)

Encrypt with age

age -e -i ~/.config/age/key.txt -o FILE.age FILE

Create ISO

genisoimage -V "LABEL" -J -r -o out.iso FILES

Burn

wodim -v dev=/dev/sr0 speed=4 FILE.iso

Verify checksums

cd /mnt/cdrom && sha256sum -c SHA256SUMS.txt

List encrypted tar

age -d -i KEY FILE.age | tar -tvf -

9. Troubleshooting

Issue Solution

wodim: No such file or directory

Drive not detected. Check lsusb, reconnect USB

Cannot open SCSI driver

Run with sudo: sudo wodim -v dev=/dev/sr0 …​

Checksum mismatch after burn

Bad burn. Use new disc, try speed=2

age: error: no recipients specified

Check age key path: ls ~/.config/age/key.txt

10. Related