Router Backup

The built in backup procedure is somewhat limited and has to be started manually from the webinterface. Goto Sytem - Backup / Flash Firmware

We d’like to have a daily fully automated backup, once a day. The compressed archive should be encrypted with the owners OpenPGP key and stored on a network attached storage system.


A network attached storage (NAS) device or other form of remote storage.

We assume you have already created a user profile called router and a directory /volume1/backup/router/ with writing permissions for him on a NAS called nas.lan.

Required Software

The backup script uses the following software packages:

  • gnupg - GNU Privacy Guard

  • gnupg-utils - Key management utilities.

  • gzip - compression utility

  • rsync - copy files to and from remote machines.

  • tar - utility to package a set of files in a archive file.

To install these, enter the following commands on your router:

router$ opkg install gnupg gnupg-utils gzip rsync tar

SSH Keys

To transfer the backups to our network attached storage, we need a user- profile for the router on that system along with SSH private and public keys.

Enter the following command on your router:

router$ cd /root
router$ mkdir -p .ssh
router$ dropbearkey -t rsa -f .ssh/id_rsa
router$ chmod 0700 /root/.ssh
router$ chmod 0600 /root/.ssh/id_rsa

The command will print out the public key and fingerprint when done.

Unlike OpenSSH, Dropbear will not create public key files along with your private keys.

Instead one can display the public key anytime with the following command:

$ dropbearkey -f .ssh/id_rsa -y

The following command sequence will copy the public key in the .ssh/ directory in the users home folder on the storage system, when used on your desktop:

desktop$ ssh router.lan 'dropbearkey -f .ssh/id_rsa -y' > /tmp/
desktop$ scp /tmp/ router@nas.lan/var/service/home/.ssh/
desktop$ ssh router@nas.lan 'cat ~/.ssh/ >> ~/.ssh/authorized_keys'

OpenPGP Keys

The router needs the public PGP key of its owner to encrypt the backup archives. The following commands, used on your router will store them in its public keyring:

router$ gpg --keyserver --search-keys 0x0123456789ABCDEF
router$ gpg --edit-key 0x0123456789ABCDEF
gpg> trust
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
gpg> quit

What to Back Up

Gather information on the differences between a freshly installed or factory-reset OpenWRT system and your actual currently running system:

  • List of installed Packages

  • List of changed configuration files

  • Certificates and keys (SSH, TLS, OpenPGP)

By backing up the /etc/ and /root/ directories with the up-to- date list of installed packages we might be on the save side.

Backup Script

This is our router-backup script:

 3# OpenWRT router backup script
 6# Abort on any error
 7set -e
 9# List of directories and files to backup
10BACKUP_LIST='/etc /root'
12# Create a temporary directory to store backup archives
13LOCAL_DIR=$(mktemp -d)
14BACKUP_FILE="${HOSTNAME}-$(date +'%F_%H-%M-%S')"
16# OpenPGP key ID to encrypt backup files to.
19# Remote system to store backups
27RSYNC_RSH="ssh -p ${SSH_PORT} -i ${SSH_ID}"
31# List of all installed packages
32/bin/opkg list-installed > /root/opkg-installed.txt
34# List of 'user installed' packages
35awk '/^Package:/{PKG= $2} /^Status: .*user installed/{print PKG}' /usr/lib/opkg/status \
36    > /root/opkg-user-installed.txt
38# List of user changed configuration files
39/bin/opkg list-changed-conffiles > /root/opkg-conffiles.txt
41# Backup and compress
42/bin/tar --create --exclude-backups --auto-compress \
43    --file "${LOCAL_DIR}/${BACKUP_FILE}.tar.gz" \
44    "${BACKUP_LIST}"
46# Encrypt
47/usr/bin/gpg --batch --no-default-recipient --recipient "${PGP_ID}" \
48    --encrypt "${LOCAL_DIR}/${BACKUP_FILE}.tar.gz"
50# Transfer
51/usr/bin/rsync --archive --delete --rsh "${RSYNC_RSH}" \
52            --log-file "${LOGFILE}" \
53            --human-readable --stats --verbose \
54            "${source}" "${target}"
56#/usr/bin/scp -i ${SSH_ID} -p 6883 ${source} ${target}
58# Remove the temporary directory
59rm -rf "$LOCAL_DIR"

Cron Job

Setup a cron job on the router to run the backup script every night at 2 AM:

router$ EDITOR=$(which nano) crontab -e

Insert the line as follows:

1 # Send any output by mail to `'
3 #
4 #min hour mday month wday cmd
5 00   02   *    *     *    /root/
7 # crontab and fstab must end with the last line a space or comment

Use CTRL+X and Y to save and exit.

Restart cron to re-read its configuration:

router$ /etc/init.d/cron restart