Duplicity - secure incremental backup
Duplicity - Secure (gpg) Incremental (diff) Compressed Backup (tar)
About Duplicity Encrypted Backup
Duplicity is a stable Debian package used for Encrypted backup using rsync algorithm. The benefits of duplicity are as follows:
- Encryption using GPG
- Differential Backups - Takes an inital full-backup, and from then on - only the files which have changed, saving bandwith and high disk usage.
- Can be done over ftp or scp - Some backup servers only allow ftp on a shared server. As a result files need to be encrypted.
Install Duplicity Encrypted Backup
apt-get install duplicity
Duplicity does not run as a service, and has no default global configuration file. It is more a program/application rather than a service. Duplicity can be run completely from the command line to backup or restore files.
Simple unEncrypted Backup over SCP
Setup ssh keys on the backup server allowing root to seamlessly login to the backup server. Setting up ssh keys can be found here Sshkeys.
//Backup of a specific Folder: duplicity /home/me scp://email@example.com/some_dir //Restore specific Folder: duplicity scp://firstname.lastname@example.org/some_dir /home/me //or if you dont want to overwrite all files: duplicity scp://email@example.com/some_dir /var/tmp/me
Encrypted Backup over FTP
Generate a GPG key for encryption purposes. As the GPG key passphrase must be placed in a backup script - I did not use my personal gpg key - but generated a new one for backup purposes. Details on generating gpg keys are found here Gnupg.
To see available gpg keys:
When running Duplicity on the command line (with no config file) - both the FTP password, and the GPG passphrase need to be exported to the environment variables.
export FTP_PASSWORD=ftppass export PASSPHRASE=gpgpassphrase duplicity --encrypt-key "69111111" --sign-key "69111111" --include /etc --include /home --include /root --include /var --exclude /var/tmp --exclude '**' / ftp://username@backupserver/backupfoldername //Syntax = duplicity | gpg_encrypt_and_sign | --include files | --exclude files | MAIN_FOLDER_to_BACKUP | DESTINATION //Thus the above line includes what I want, excludes '**' and backups / (root directory).
If there are errors etc. you need to check whether the environment variables (ftp and gpp passwords) are set. Whether your gpg key exists and matches the id, e.g. 69111111.
If you recieve the error: Temporary error '450 No files found'. Trying to reconnect in 10 seconds. This is specific to the version of python been used. If the folder on the ftp server (e.g. /backupfoldername as above) is empty - it can cause a problem. The quick solution is to touch a file, or put a temp file into the folder.
I made the following script and called it via a nightly Crontab.
#!/bin/bash export FTP_PASSWORD=ftppass export PASSPHRASE=gpgpassphrase duplicity --encrypt-key "69111111" --sign-key "69111111" --include /etc --include /home --include /root --include /var --exclude /var/tmp --exclude '**' / ftp://username@backupserver/backupfoldername
Also - you will have to manually backup the gpg key used for backup. Otherwise if you loose the key, or if it dies with the server - your backups are encrypted and you loose. I simply tar'd up the .gnupg folder in /root/ on the server been backup'd.
Restore Encrypted Backup from FTP
On the server you want to restore the backup to:
gpg --list-keys //and make sure you have the key id 69111111. Otherwise it wont work! mkdir /var/tmp/backupfoldername export FTP_PASSWORD=ftppass export PASSPHRASE=gpgpassphrase duplicity --encrypt-key "69111111" --sign-key "69111111" ftp://username@backupserver/backupfoldername /var/tmp/backupfoldername
Thats all folks.
Restore a single old or deleted File from the Encrypted Backup
If you want to restore or recover a specific file from a Backup, and dont want to bother restoring the whole backup only to get 1 file, you can do the following:
duplicity --encrypt-key "" --sign-key "" --file-to-restore home/sburke/file.txt ftp://user@ftpserver/burkesys /var/tmp/file.txt
If the above file was deleted 1 day ago, and there was a backup since, you need to use the "-t 1D" option. E.g.:
duplicity --encrypt-key "" --sign-key "" -t 1D --file-to-restore home/sburke/file.txt ftp://user@ftpserver/burkesys /var/tmp/file.txt #the number of days can be set, e.g. -t #D
Restore a folder from the Encrypted Backup
Actually this is the same as above using the --file-to-restore switch!
duplicity --encrypt-key "" --sign-key "" --file-to-restore home/sburke/Maildir/cur ftp://user@ftpserver/burkesys /var/tmp/cur
List the Current Files in an Encrypted Backup
duplicity --encrypt-key "" --sign-key "" --list-current-files ftp://user@ftpserver/folderbackupname
Note the "-t 1D" did not seem to work with the above. This is quite annoying, as a search for the filename of the file that was deleted cannot be carried out. The user must know the exact file and exact path they are looking for. Otherwise the entire backup needs to be Decrypted, and the file picked out.
Backup and Restore Debian Packages
dpkg --get-selections > selections-$(date -I) dpkg --set-selections < selections-$(date -I)
More Information on Duplicity
man duplicity (must have it installed via apt-get!)
http://savannah.nongnu.org/bugs/?2441 -> details the 405 error message
Offsite Backup Restore
So I downloaded a full offsite backup and wanted to test recovering files with duplicity. I got a Debian LiveCD, apt-get installed duplicty, and copied over the .gnupg folder, I had stored locally.
So I used:
duplicity restore --encrypt-key "xxx" --sign-key "xxx" --time-separator='_' file:///media//servername /tmp/testrecover/
At first duplicity said "No backup signatures found". This didn't sound good, but uncle google led me to: https://bugs.launchpad.net/deja-dup/+bug/601243 which said to use "--time-separator='_'" Luckily this worked and all was sorted. The reason I used the LiveCD was that it had the same version of Duplicity it used.
As I also used a livecd (http://live.debian.net/) /tmp space for duplicity was limited. As a result, I added:
--tempdir /mnt/tmp #see http://duplicity.nongnu.org/duplicity.1.html
A couple of things on the way: I wanted to connect my external USB drive so I had somewhere to extract from with the LiveCD. I found: http://xjqian.wordpress.com/2007/11/11/readwrite-ntfs-in-debian/ which provided:
apt-get install ntfs-3g mount -t ntfs-3g /dev/hda1 /media/win -o umask=0,nls=utf8
I could now happily mount and write to my ntfs external drive. Unforunately I got some errors when extracting with duplicty. They were:
Invalid or incomplete multibyte or wide character
I think this was down to the ntfs drive I had. It was a file with a very long file name that caused the issue. Luckly I just worked around this folder with the following:
duplicity restore --encrypt-key "xxx" --sign-key "xxx" --time-separator='_' --file-to-restore home/username file:///media/servername /tmp/testrecover/