Using Duplicity to Back up Your Data

Duplicity is a popular tool that takes backup security one step further: the data that is backed up is encrypted with GPG. Duplicity works by creating an encrypted zip file of your incremental backup data, and then uploads the zip file to your server. You might want to consider using Duplicity when:

  • You backup sensitive data (credit cards data, SSN's, health records, etc.
  • You backup multiple sites to one account -- and you need to secure each site's data

Installing Duplicity

Installation of Duplicity is a snap; but you'll also want to make sure that you have GPG installed as well. To check if both GPG and Duplicity are installed, open up a terminal and enter the following commands:

whereis gpg
whereis duplicity

  • If you see a path returned with both commands, you are good to go!
  • If either one does not return a path, you'll need to do some installation
  • Installing GPG »
  • « Hide this

Installing GPG may be as simple as using your package management system. Depending on your flavor of *nix, enter one of the following into a terminal:

Ubuntu
sudo apt-get install gpg
CentOS / Fedora / RHEL
sudo yum install gpg
OpenSuSE / SLES
sudo zypper install gpg
Other Flavors of *nix
The GPG download and how-to pages have the instructions the source ready for you to download and compile. Once downloaded, compilation and installation follows the typical GNU Automake flow:
./configure
make
sudo make install
@#?! It Doesn't Work!
Nobody was born knowing how to fly a plane, yet we still have pilots. Just send us an email — we're here to help: support@evbackup.com
  • Installing Duplicity »
  • « Hide this

Installing Duplicity may be as simple as using your package management system. Depending on your flavor of *nix, enter one of the following into a terminal:

Ubuntu
sudo apt-get install duplicity
CentOS / Fedora / RHEL
sudo yum install duplicity
OpenSuSE / SLES
sudo zypper install duplicity
Other Flavors of *nix
The Duplicity download page has the source ready for you to download and compile. Once downloaded, compilation and installation follows the typical GNU Automake flow:
./configure
make
sudo make install
@#?! It Doesn't Work!
Nobody was born knowing how to fly a plane, yet we still have pilots. Just send us an email — we're here to help: support@evbackup.com

Creating an SSH Keypair with ssh-keygen

An SSH keypair allows duplicity to automatically connect without you having to manually enter a password.

Notes:
  • Each of the following commands are entered as a single line.
  • You'll want to run all of the commands here as the 'super-user' (using sudo), so that you have full access to all the files on your machine.
1. Create an SSH key pair with ssh-keygen
sudo ssh-keygen -f /backup/ssh_key -t rsa -N ''
Note the command ends with two single quote characters.
  • Why do I need an SSH keypair? »
  • « OK. Hide this

An SSH key pair allows you to securely log in to your backup server without entering a password each time.

2. Upload and activate the public key to your EVBackup account
sudo rsync -e ssh /backup/ssh_key.pub user@user.evbackup.com:ssh_keys/key1.pub
ssh user@user.evbackup.com addkeys
Show Me
Successful SSH key pair generation in Linux

Successful SSH key pair generation in Linux

  • Notes about uploading »
  • « OK. Hide this
  • Substitute user with your EVBackup account name.
  • When you enter this command, you might see a message indicating that your computer doesn't recognize the server. Just enter yes when prompted and you'll never be bothered again.
  • You'll be asked to enter the password for your EVBackup account. Once the key is uploaded and activated, this won't be necessary again.
  • If Terminal simply returns (looking as though nothing has happened), then you have successfully uploaded your key!
3. Test that you can log in without a password
sudo ssh -i /backup/ssh_key user@user.evbackup.com
  • How do I know if it worked? »
  • « OK. Hide this

If you were successful, then something very similar to the following will appear in Terminal:

Last login: Thu Jul 15 16:16:44 2010 from c-28-26-13-101.
Copyright (c) 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

FreeBSD 6.4-STABLE (EXAVAULT) #1:
[your-account@quark ~]$

Creating a GPG key

The next step is to create your GPG key. The GPG key is different than your SSH key:

  • The GPG key is what encrypts your data.
  • The SSH key is what allows you to log into your server without a password.

Creating your GPG key is a snap. At a terminal, enter the following commands:

sudo gpg --gen-key

You will then be guided through a series of prompts that will help you create your key. Once the key is created, you should see a prompt like this:

gpg: key 687DC52E marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/687DC52E 2011-04-18
Key fingerprint = 34BF 1C05 B797 A11C 940D EB22 FB6F 3C43 687D C52E
uid Rich W < support@evbackup.com >
sub 2048R/74136395 2011-04-18

Write down the key number; this is your public key ID. You'll be using it later when Duplicity encrypts your files.

Making the Initial Backup

To make your first backup with Duplicity, enter the following into a terminal (all on one line):

sudo duplicity full --ssh-options="-oIdentityFile=/backup/ssh_key" --encrypt-key[key id] [source] scp://user@user.evbackup.com/[destination]

Where:

  • [key id] is your GPG public key ID.
  • [source] is the path to the files you want to backup.
  • [destination] is the (optional) folder on the server that you want to put the encrypted backup files in.

For example, user bobsmith wants to backup his website folder and a MySQL database backup:

sudo duplicity full --ssh-options="-oIdentityFile=/backup/ssh_key" --encrypt-key ABC123XYZ  /var/www scp://bobsmith@bobsmith.evbackup.com/web
sudo mysqldump -u dbuser -h dbserver -p dbpassword --database db02 > /backup/db/db02.sql
sudo duplicity full --ssh-options="-oIdentityFile=/backup/ssh_key" --encrypt-key ABC123XYZ  /backup/db scp://bobsmith@bobsmith.evbackup.com/db

Verifying the Initial Backup

To verify the backup, you can use Duplicity's list-current-files argument:
(Note that the GPG key isn't required)

sudo duplicity --ssh-options="-oIdentityFile=/backup/ssh_key" list-current-files scp://user@user.evbackup.com/[destination]

Tip: The list-current-files argument is also useful if you would like to see exactly what was included in your last backup.

Scripting and Automating Duplicity Backups

Once you've created the initial backup, then the hard part is over. All that is required is to copy the Duplicity command into a script, change the full argument to incremental, and automate it with cron.

  • How do I create the script? »
  • « OK Hide this
  1. Open your favorite text editor (Vi / Vim, Emacs, pico, nano, etc.)
  2. Enter the Duplicity command you used to make the full backup.
  3. Change the argument from full to incremental.
  4. Save the file in the /backups folder with a descriptive name.
  5. Make sure that the file is owned by root:
    sudo chown root:root /backups/[script-file-name].sh

Once you have your backup script created and saved, you need only to add a cron job to automate it. To automate a cron job for your script:

  1. At terminal, add a cron job for the superuser:

    sudo crontab -e

  2. Enter the daily schedule command for duplicity-script.sh

    For example, to run duplicity-script.sh every night at 11:42 PM, you would enter:

    42 23 * * * /backups/duplicity-script.sh

    • What are the crontab fields? »
    • « Hide this

    The fields in crontab (separated by s p a c e s or tabs) are:

    [minute] [hour] [day of month] [month] [weekday] [command] [command args]
    Use commas to designate more than one value: 00,09,11,22
    Use hyphens to designate a range of values: 0-6

  3. Save your crontab file and close your text editor. You're all set!

Should you have questions or need help: support@evbackup.com

Restoring Duplicity Backups

Restoring files backed up with duplicity is just like restoring files with rsync: Simply reverse the source and destination folders.

sudo duplicity --ssh-options="-oIdentityFile=/backup/ssh_key" scp://user@user.evbackup.com/[remote-folder] [local-folder]

You can also restore individual files with the --file-to-restore argument (all on one line):

sudo duplicity --ssh-options="-oIdentityFile=/backup/ssh_key" --file-to-restore [dir/file-to-restore] scp://user@user.evbackup.com/[remote-folder] [local-folder/restored-file]