If you maintain mission-critical data on your server, you probably want to back them up on a remote site for disaster recovery. For any type of offsite backup, you need to consider encryption in order to avoid any unauthorized access to the backup. In addition, it is important to use incremental backup, as opposed to full backup, to save time, disk storage and bandwidth costs incurred in ongoing backup activities.
Duplicity is an encrypted incremental backup tool in Linux. Duplicity uses librsync to generate bandwidth/space-efficient incremental archives. It also uses GnuPG to encrypt and/or sign backup archives to prevent unauthorized data access and tampering.
In this tutorial, I will describe how to create a secure incremental offsite backup in Linux with Duplicity.
Install Duplicity on Linux
To install Duplicity on Debian, Ubuntu or Mint:
To install Duplicity on CentOS or RHEL, first enable EPEL repository, and run:
To install Duplicity on Fedora:
Create a Secure Incremental Remote Backup via SCP
To create a secure and incremental backup of a local folder (e.g., ~/Downloads), and transfer it to a remote SSH server via SCP, use the following command. Note that before proceeding, you must enable password-less SSH login to the remote SSH server first.
Local and Remote metadata are synchronized, no sync needed. Last full backup date: none GnuPG passphrase: Retype passphrase to confirm: No signatures found, switching to full backup. --------------[ Backup Statistics ]-------------- StartTime 1375918500.17 (Wed Aug 7 19:35:00 2013) EndTime 1375918539.07 (Wed Aug 7 19:35:39 2013) ElapsedTime 38.90 (38.90 seconds) SourceFiles 3 SourceFileSize 65982804 (62.9 MB) NewFiles 3 NewFileSize 65982804 (62.9 MB) DeletedFiles 0 ChangedFiles 0 ChangedFileSize 0 (0 bytes) ChangedDeltaSize 0 (0 bytes) DeltaEntries 3 RawDeltaSize 65978708 (62.9 MB) TotalDestinationSizeChange 66132356 (63.1 MB) Errors 0 -------------------------------------------------
When you create a remote backup of given data for the first time, Duplicity will create a full backup, and ask you to set an initial GnuPG passphrase for encryption. Subsequent runs of Duplicity will create incremental backups, and you need to provide the same GnuPG passphrase created during the first run.
Create a Secure Incremental Remote Backup in Non-interactive Mode
If you do not want to be prompted to enter a passphrase, you can set PASSPHRASE environment variable, prior to running Duplicity as follows.
If you do not want to pass a plain-text passphrase in the command-line, you can create the following backup script. To be more secure, make the script readable to you only.
export PASSPHRASE=yourpass duplicity ~/Downloads scp://user@remote_site.com//home/user/backup/ unset PASSPHRASE
Create an Incremental Remote Backup Without Encryption
If you do not need a secure backup, you can disable encryption as follows.
Verify the Integrity of a Remote Backup
For critical data, it is probably a good idea to verify that a remote backup was successful. You can check whether or not the local and remote volumes are in sync, by using the following command.
Local and Remote metadata are synchronized, no sync needed. Last full backup date: Wed Aug 7 19:34:52 2013 Verify complete: 8 files compared, 0 differences found.
Note that when using "verify" option, you need to reverse the order of local and remote folders; specify the remote folder first.
Restore a Remote Backup
In order to restore a remote backup locally, run the following commnad:
To successfully restore a remote backup, the specified restore destination directory (e.g., Downloads_restored) must not exist locally beforehand.
Create a Secure Incremental Remote Backup via FTP
Besides SCP, Duplicity also supports several other protocols including FTP.
To use FTP in Duplicity, use the following format:
For non-interactive runs, specify the FTP password in FTP_PASSWORD environment variable:
Duplicity Troubleshooting Tips
If you encounter the following error, this means that you did not install SSH2 protocol library for python.
BackendException: Could not initialize backend: No module named paramiko
To fix this error, install the following.
On Ubuntu, Debian or Mint:
On Fedora, CentOS or RHEL:
If you encounter the following error, it is because you did not set up password-less ssh login to a remote backup server. Make sure that you do, and retry.
BackendException: ssh connection to xxx@xxxx failed: No authentication methods available
Subscribe to Xmodulo
Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.