Hi,

I got really bored about backups, so I took a different approach. I like the official backup system because it works, it's easy to use and can restore everything, however it sucks because it takes too much disk space.

Instead of fighting it, I made a simple script to replace scrypt binary in dom0 that just neuters the encryption, this allows us to pipe the backup file to a tool handling deduplication and encryption.

Here is the result of a qube backup done 3 times, with a qube restart between each:

> du -shc *
1,6G    qubes-backup-2024-04-12T112336
1,6G    qubes-backup-2024-04-12T112420
1,6G    qubes-backup-2024-04-12T112557
754M    restic-repository

The repository didn't grow after each backup 🙂

I'd be happy to receive feedback about it, I didn't try it much yet.

Setup

In dom0, rename /usr/bin/scrypt to /usr/bin/scrypt.bak.

Create /usr/bin/scrypt with the following content, and make it executable:

#!/bin/sh

# $1 = enc / dec
# $2 = infile
# $3 = outfile

# remove parameter -f used when restoring
for arg do
    shift
    [ "$arg" = "-f" ] && continue
    set -- "$@" "$arg"
done

# stub prompt for backup
if [ "$1" = "enc" ]
then
    python3 -c "import sys; print(b'Please enter passphrase: '.decode(), end='', file=sys.stderr); sys.stderr.flush()"
    python3 -c "import sys; print(b'Please confirm passphrase: '.decode(), end='', file=sys.stderr); sys.stderr.flush()"
fi

# stub prompt for restore
if [ "$1" = "dec" ]
then
    python3 -c "import sys; print(b'Please enter passphrase: '.decode(), end='', file=sys.stderr); sys.stderr.flush()"
fi

# handle all combinations possible
# input = a file or stdin
# output = a file or stdout
if [ "$2" = "-" ]
then
    if [ -z "$3" ]
    then
        cat
    else
        cat > "$3"
    fi
else
    if [ -z "$3" ]
    then
        cat "$2"
    else
        cat "$2" > "$3"
    fi
fi

Usage

After this change, the backup tool won't encrypt the backup anymore, you can send it to a script to handle it in borg / restic / whatyou want, I explain the method in a blog post

When making backups, just type anything in the password field, it's not used but required for the GUI to be happy.

Make sure to disable compression, this doesn't help deduplication, and the backup tool will handle compression anyway (and better than gzip).

Cons

You can't use regular backups with it, you would have to rename /usr/bin/scrypt.old back to /usr/bin/scrypt to make them work again.

A dom0 update or upgrade may overwrite scrypt binary.