Backup and Recovery

Overview

Secrets backup follows a 4-tier defense-in-depth strategy that survives hardware failure, ransomware, and physical disasters.

Backup Architecture
Figure 1. Backup Architecture

The age master key is THE critical credential. Without it, ALL encrypted secrets are permanently unrecoverable. Maintain 3+ copies in different locations.

Backup Tiers

Tier Storage Contents Recovery Time

Tier 1: HOT

Workstation SSD

~/.secrets/, ~/.ssh/, Git repos

Instant

Tier 2: WARM

NAS + Seagate SSDs

Borg repository, infrastructure backups

Minutes

Tier 3: COLD

LUKS USB #1 (home) + #2 (offsite)

age key, SSH keys, GPG keys, LUKS headers

Hours

Tier 4: ARCHIVAL

Verbatim M-Disc (fireproof safe)

age key, LUKS headers, printed passphrases

Days

Critical Recovery Items

LUKS Headers

LUKS headers are stored on the encrypted disk. Header corruption = permanent data loss. Always backup before any disk operation.

 
# Backup LUKS header
cryptsetup luksHeaderBackup /dev/nvme0n1p2 \
    --header-backup-file luks-header-$(hostname)-$(date +%Y%m%d).img

# Store on LUKS USB and M-Disc
cp luks-header-*.img /mnt/backup/headers/

age Master Key

# Key location
~/.secrets/.metadata/keys/master.age.key

# Backup locations (all 3+ copies REQUIRED)
# 1. LUKS USB #1 (home safe)
# 2. LUKS USB #2 (offsite)
# 3. M-Disc (fireproof safe)

SSH Keys

# YubiKey resident keys - regenerate from hardware
ssh-keygen -K

# Software fallback key - backup to LUKS USB
~/.ssh/id_ed25519_fallback

Recovery Procedures

Quick Recovery (Tier 1)

# Already on workstation - just use dsec
dsource d000 dev/network

Lost Workstation (Tier 3)

# 1. Mount LUKS backup USB
sudo cryptsetup luksOpen /dev/sdX1 backup-usb
sudo mount /dev/mapper/backup-usb /mnt/backup

# 2. Restore age master key
mkdir -p ~/.secrets/.metadata/keys
cp /mnt/backup/keys/master.age.key ~/.secrets/.metadata/keys/
chmod 600 ~/.secrets/.metadata/keys/master.age.key

# 3. Restore SSH keys (or regenerate from YubiKey)
ssh-keygen -K  # From YubiKey
# OR
cp /mnt/backup/keys/id_ed25519_fallback ~/.ssh/
chmod 600 ~/.ssh/id_ed25519_fallback

# 4. Clone secrets repo
git clone git@github.com:EvanusModestus/domus-secrets.git ~/.secrets/vaults

# 5. Test recovery
dsource d000 dev/network
netapi ise mnt sessions

Corrupted LUKS Header

# 1. Boot from Arch Linux ISO
# 2. Mount LUKS USB or M-Disc with header backup
sudo mount /dev/sdX1 /mnt/backup  # or mount optical drive

# 3. Restore header
cryptsetup luksHeaderRestore /dev/nvme0n1p2 \
    --header-backup-file /mnt/backup/headers/luks-header-hostname.img

# 4. Unlock with passphrase and continue boot

Complete Disaster (Tier 4)

# 1. Retrieve M-Disc from fireproof safe
# 2. Boot new hardware from Arch ISO
# 3. Mount optical drive
# 4. Restore age key and LUKS header
# 5. Rebuild from Git repositories

Backup Schedule

Frequency Action Verification

Weekly

Borg to NAS + Seagate SSD sync

Check borg info output

Monthly

Sync to LUKS USB #1

Test decrypt of one secret

Quarterly

Rotate LUKS USB #2 offsite

Verify both USBs readable

Annually

Burn new M-Disc + recovery drill

Full restore to VM

Comprehensive Documentation

For detailed procedures, see domus-infra-ops:

  • Recovery Architecture: domus-infra-ops:recovery/architecture.adoc

  • Credential Chain: domus-infra-ops:recovery/credential-chain.adoc

  • LUKS Header Backup: domus-infra-ops:recovery/luks-header-backup.adoc

  • M-Disc Archival: domus-infra-ops:recovery/mdisk-verbatim.adoc

  • Seagate SSD Workflow: domus-infra-ops:recovery/seagate-ssd-1.adoc

  • Disaster Recovery: domus-infra-ops:runbooks/disaster-recovery.adoc

  • Backup Strategy: domus-infra-ops:runbooks/backup-strategy.adoc

Related Pages