Duplicity \u2013 Create Encrypted Linux File System Backups<\/p>\n<\/div>\n Even today, when some cloud and hosting providers offer automated backups for VPS\u2019s at a relatively low cost, you will do well to create your own\u00a0backup strategy using your own tools<\/a>\u00a0in order to save some money and then perhaps use it to buy extra storage or get a bigger VPS.<\/p>\n Sounds interesting? In this article we will show you how to use a tool called\u00a0Duplicity<\/strong>\u00a0to backup and encrypt file and directories. In addition, using incremental backups for this task will help us to save space.<\/p>\n That said, let\u2019s get started.<\/p>\n To install duplicity in Fedora-based distros, you will have to enable the EPEL repository first (you can omit this step if you\u2019re using Fedora itself):<\/p>\n Then run,<\/p>\n For Debian and derivatives:<\/p>\n In theory, many methods for connecting to a file server are supported although only\u00a0ssh<\/a>\/scp<\/a>\/sftp<\/a>, local file access,\u00a0rsync<\/a>,\u00a0ftp<\/a>, HSI, WebDAV and Amazon S3 have been tested in practice so far.<\/p>\n Once the installation completes, we will exclusively use\u00a0sftp<\/strong>\u00a0in various scenarios, both to back up and to restore the data.<\/p>\n Our test environment consists of a\u00a0CentOS 7<\/strong>\u00a0box (to be backed up) and a\u00a0Debian 8<\/strong>\u00a0machine (backup server).<\/p>\n Let\u2019s begin by creating the\u00a0SSH keys in our CentOS<\/a>\u00a0box and transfer them to the\u00a0Debian<\/strong>\u00a0backup server.<\/p>\n The below commands assumes the\u00a0sshd<\/strong>\u00a0daemon is listening on port\u00a0XXXXX<\/strong>\u00a0in the Debian server. Replace\u00a0AAA.BBB.CCC.DDD<\/strong>\u00a0with the actual IP of the remote server.<\/p>\n Then you should make sure that you can connect to the backup server without using a password:<\/p>\n Create SSH Keys<\/p>\n<\/div>\n Now we need to create the\u00a0GPG<\/strong>\u00a0keys that will be used for\u00a0encryption and decryption<\/a>\u00a0of our data:<\/p>\n You will be prompted to enter:<\/p>\n Create GPG Keys<\/p>\n<\/div>\n To create the entropy needed for the creation of the keys, you can log on to the server via another terminal window and perform a few tasks or run some commands to generate entropy (otherwise you will have to wait for a long time for this part of the process to finish).<\/p>\n Once the keys have been generated, you can list them as follows:<\/p>\n List Generated GPG Keys<\/p>\n<\/div>\n The string highlighted in yellow above is known as the public key ID, and is a requested argument to encrypt your files.<\/p>\n To start simple, let\u2019s only backup the\u00a0\/var\/log<\/strong>\u00a0directory, with the exception of\u00a0\/var\/log\/anaconda<\/strong>\u00a0and\u00a0\/var\/log\/sa<\/strong>.<\/p>\n Since this is our first backup, it will be a full one. Subsequent runs will create incremental backups (unless we add the full option with no dashes right next to duplicity in the command below):<\/p>\n Make sure you don\u2019t miss the double slash in the above command!<\/strong>\u00a0They are used to indicate an absolute path to a directory named\u00a0\/backups\/centos7<\/strong>\u00a0in the backup box, and is where the backup files will be stored.<\/p>\n Replace\u00a0YourPassphraseHere<\/strong>,\u00a0YourPublicKeyIdHere<\/strong>\u00a0and\u00a0RemoteServer<\/strong>\u00a0with the passphrase you entered earlier, the GPG public key ID, and with the IP or hostname of the backup server, respectively.<\/p>\n Your output should be similar to the following image:<\/p>\n Create Backup using Duplicity<\/p>\n<\/div>\n The image above indicates that a total of\u00a086.3 MB<\/strong>\u00a0was backed up into a\u00a03.22 MB<\/strong>\u00a0in the destination. Let\u2019s switch to the backup server to check on our newly created backup:<\/p>\n Confirm Backup File<\/p>\n<\/div>\n A second run of the same command yields a much smaller backup size and time:<\/p>\n Compress Backup<\/p>\n<\/div>\n To successfully restore a file, a directory with its contents, or the whole backup, the destination must not exist (duplicity will not overwrite an existing file or directory). To clarify, let\u2019s delete the\u00a0cron<\/strong>\u00a0log in the CentOS box:<\/p>\n Delete Cron Logs<\/p>\n<\/div>\n The syntax to restore a single file from the remote server is:<\/p>\n where,<\/p>\n In our case, to restore the cron main log from the remote backup we need to run:<\/p>\n The cron log should be restored to the desired destination.<\/p>\n Likewise, feel free to delete a directory from\u00a0\/var\/log<\/strong>\u00a0and restore it using the backup:<\/p>\n In this example, the\u00a0mail<\/strong>\u00a0directory should be restored to its original location with all its contents.<\/p>\n At any time you can display the list of archived files with the following command:<\/p>\n Delete backups older than 6 months:<\/p>\n Restore\u00a0myfile<\/strong>\u00a0inside directory\u00a0gacanepa<\/strong>\u00a0as it was 2 days and 12 hours ago:<\/p>\n In the last command, we can see an example of the usage of the time interval (as specified by\u00a0-t<\/strong>): a series of pairs where each one consists of a number followed by one of the characters\u00a0s<\/strong>,\u00a0m<\/strong>,\u00a0h<\/strong>,\u00a0D<\/strong>,\u00a0W<\/strong>,\u00a0M<\/strong>, or\u00a0Y<\/strong>\u00a0(indicating seconds, minutes, hourse, days, weeks, months, or years respectively).<\/p>\n In this article we have explained how to use Duplicity, a backup utility that provides encryption for files and directories out of the box. I highly recommend you take a look at the\u00a0duplicity project\u2019s<\/a>\u00a0web site for further documentation and examples.<\/p>\n We\u2019ve provided man page of\u00a0duplicity in PDF format<\/a>\u00a0for your reading convenience, is also a complete reference guide.<\/p>\n Feel free to let us know if you have any questions or comments.<\/p>\n![\"Create](\"https:\/\/www.tecmint.com\/wp-content\/uploads\/2015\/09\/Create-Encrypted-Linux-File-System-Backups.png\")
<\/a><\/p>\nInstalling Duplicity<\/h3>\n
# yum update && yum install epel-release\r\n<\/pre>\n
# yum install duplicity\r\n<\/pre>\n
# aptitude update && aptitude install duplicity\r\n<\/pre>\n
Creating SSH keys to access remote servers and GPG keys for encryption<\/h3>\n
# ssh-keygen -t rsa\r\n# ssh-copy-id -p XXXXX root@AAA.BBB.CCC.DDD\r\n<\/pre>\n
<\/a><\/p>\n# gpg --gen-key\r\n<\/pre>\n
\n
<\/a><\/p>\n# gpg --list-keys\r\n<\/pre>\n
<\/a><\/p>\nCreating a backup with Duplicity<\/h3>\n
PASSPHRASE=\"YourPassphraseHere\" duplicity --encrypt-key YourPublicKeyIdHere --exclude \/var\/log\/anaconda --exclude \/var\/log\/sa \/var\/log scp:\/\/root@RemoteServer:XXXXX\/\/backups\/centos7\r\n<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nRestoring backups using Duplicity<\/h3>\n
# rm -f \/var\/log\/cron\r\n<\/pre>\n
<\/a><\/p>\n# PASSPHRASE=\"YourPassphraseHere\" duplicity --file-to-restore filename sftp:\/\/root@RemoteHost\/\/backups\/centos7 \/where\/to\/restore\/filename\r\n<\/pre>\n
\n
# PASSPHRASE=\"YourPassphraseHere\" duplicity --file-to-restore cron sftp:\/\/root@AAA.BBB.CCC.DDD:XXXXX\/\/backups\/centos7 \/var\/log\/cron\r\n<\/pre>\n
# rm -rf \/var\/log\/mail\r\n# PASSPHRASE=\"YourPassphraseHere\" duplicity --file-to-restore mail sftp:\/\/root@AAA.BBB.CCC.DDD:XXXXX\/\/backups\/centos7 \/var\/log\/mail\r\n<\/pre>\n
Other features of Duplicity<\/h3>\n
# duplicity list-current-files sftp:\/\/root@AAA.BBB.CCC.DDD:XXXXX\/\/backups\/centos7\r\n<\/pre>\n
# duplicity remove-older-than 6M sftp:\/\/root@AAA.BBB.CCC.DDD:XXXXX\/\/backups\/centos7\r\n<\/pre>\n
# duplicity -t 2D12h --file-to-restore gacanepa\/myfile sftp:\/\/root@AAA.BBB.CCC.DDD:XXXXX\/\/remotedir\/backups \/home\/gacanepa\/myfile\r\n<\/pre>\n
Summary<\/h3>\n