Update README.md See merge request unitoo/duplicity-automated-backups!1
|1 year ago|
|conf_example||3 years ago|
|gdrive||3 years ago|
|keys||3 years ago|
|logs||3 years ago|
|.gitignore||3 years ago|
|LICENSE||3 years ago|
|README.md||1 year ago|
|backup-full||3 years ago|
|backup-inc||3 years ago|
|restore||3 years ago|
This repository contains a collection of scripts made to speed up the configuration process for automating encrypted backups.
You should have already installed:
- duplicity (0.7.14+)
- pydrive (needed to use Google Drive as the hosting for the backups)
You can use pip to install both; if you run into some errors try to manually update dependencies like google-auth and oauth2client first
GPG key creation
- Create and generate on your PC a new GPG key (making it non-expiring is reccomended):
- Export both the private and the pub key:
gpg --armor --export email@example.com > publickey.pub
gpg --armor --export-secret-key user@example > privatekey
- Encrypt the private key with a symmetric cipher (and save the password):
gpg --output privatekey.gpg --symmetric privatekey
- Put the encrypted privatekey and the publickey on the server with scp and import the publickey:
gpg --import publickey.pub
- Edit the imported key to trust it:
gpg --edit-key firstname.lastname@example.org trust
Google API Credentials
- Log in into your account and access https://console.developers.google.com
- Click on "Create Project"; and once it's created click on the project and then on "APIs & auth" on the sidebar.
- Go to the "Drive API" on the section called "Google Apps APIs" and click on "Enable API"
- Once enabled go on "Credentials" (located in the sidebar) and click on "Add Credentials".
- Select "OAuth Client ID", then "Other" and then "Create".
- Obtain your "Client ID" and "Client Secret" and save it for later
- An additional link-based verification is needed by Google: since the default backup script sends the stdin and stderr to a log file and you need to input a code you need to first execute duplicity "manually".
To do this you can use a premade status function in the env file:
source env_to_set; duplicity_test_run; unsource env_to_set.
Copy and paste the link from the terminal and then copy the verification string back on it.
- SSH into the server and clone the repository (inside /root):
git clone https://gitlab.com/unitoo/duplicity-automated-backups.git duplicity
- Copy the
conf_example\credentialsfile and put it into the
- Edit the
client_secretentries with the credentials obtained on the step before
- Copy the
duplicity/and edit it according to the comments
- Copy and edit the
conf_example\whitelistfile and add the files/directories you want to include in the backup
- Move the previously exported public and private keys inside the
- Add some crontab entries to execute, for example, the
backup-incscript daily and the
crontab -e # m h dom mon dow command 0 2 * * * /root/duplicity/backup-inc 0 0 1 * * /root/duplicity/backup-full
restore script, if executed, will perfom a full backup inside a newly created
backup-dir directory. The private key must be already imported and the user will be prompted for its password.
A symmtric-encrypted copy of the private key should be inside the server's
duplicity/keys directory; if the restore is being done outside the server you will need the
credentials file and the
env_to_set as well as the private key.
Partial file recovery can be done using the
--file-to-restore Duplicity option, further documentation can be found online or in its man page.
- Google Drive isn't the only possible location for your backups: other services such as Dropbox and Mega can be used and further documentation about Duplicity can be found online/on its man page.
- The archive dir (which is by default
/root/.cache/duplicity/backup) must be synched with the remote one to let the process work without a private key: if its content gets deleted Duplicity will need the private key (which is not left unencrypted/imported on the server for security reasons) to decrypt the remote contents and so it will fail and send an alert email; this can be fixed by temporarily importing the private key and manually executing the script to let Duplicity sync the metadata.
env_to_setfile can be useful if sourced to let other scripts use the variables and the functions inside it.