#Backup #Linux #SSH

Backup with Duplicity

10 May 2025 •

4 min read • 6 views

Backup with Duplicity

Use ssh with gpg to send encrypted backup on a custom server.

Recently buying a SATA disk for backup my notebook, it cost less than any Cloud solution (less than 40$ for 1 Terra, 5400RPM (best for backup)) and your own your data.

Later, we can hide this server on the Tor network to have an access 'from outside'.

Here i describe all tasks for doing than... we'll start

Encrypt your disk

So after plug the disk, you need to encrypt it with cryptsetup, my disk is located at /dev/sdb.

cryptsetup luksFormat /dev/sdb
cryptsetup luksOpen /dev/sdb luks-backup

You have to enter a passphrase and it's ok, next we add a key hosted on the server. It's serve to decrypt and mount the disk wihout entering multiple passwords (good if your system is alrealy encrypted else skip this step)

dd bs=512 count=8 iflag=fullblock if=/dev/urandom of=luks-backup.key
cryptsetup luksAddKey /dev/sdb luks-backup.key

Format the disk

I'll recommend here XFS intead of Ext4. You'll loss less data during time. Ext4 is only good on SSD...

Our disk is open at /dev/mapper/luks-backup

mkfs.xfs /dev/mapper/luks-backup

Configure system to mount disk at boot time

We need to protect the luks-backup.key first and move it at /root

chmod 400 luks-backup.key
chown root:root luks-backup.key
mkdir /root/keys
mv luks-backup.key /root/keys/

Configure cryptsetup via /etc/crypttab, $EDITOR /etc/crypttab

backup-luks UUID=<value> /root/keys/luks-backup.key luks

And fstab, $EDITOR /etc/fstab 

/dev/mapper/backup-luks /home/backup xfs defaults,nodev 0 2

Here, we want to mount the disk on /home/backup, so we create this.

sudo mkdir /home/backup
sudo mount /home/backup
sudo useradd -s /bin/zsh backup
sudo passwd backup
sudo chown -R backup:backup /home/backup

If you reboot the server now, the system should mount the disk automatically.

Add Rsync

Always on the server, install your rsync package and configure it.

$EDITOR /etc/rsyncd.conf

use chroot = yes
max connections = 1
uid = nobody # default on system
gid = nogroup # default on system

[backup]
comment = Encrypted backup
path = /home/backup/.backups # add dot because chroot = yes
read only = no
list = yes

We should use a dot in path because use chroot = yes. Next, start/enable the rsync daemon

systemctl enable rsyncd
systemctl start rsyncd

Generate keys for client

We need a ssh and gpg key for duplicity, so start with SSH

ssh-keygen -t ed25519 -o -a 100 -f ~/.ssh/duplicity
chmod 600 ~/.ssh/duplicity

We create a private and a public key with this ~/.ssh/duplicityand ~/.ssh/duplicity.pub.

Send the key on the server with ssh-copy-id

ssh-copy-id -i ~/.ssh/duplicity backup@192.168.1.11

Test the connection

ssh -i ~/.ssh/duplicity backup@192.168.1.11
exit

Configure ssh to only have to enter ssh backup@192.168.1.11. $EDITOR ~/.ssh/config

Host 192.168.1.11
  IdentitiesOnly yes
  IdentityFile ~/.ssh/duplicity

Next GPG, i don't describe all the step here, just create a RSA key (4096) with no limit time.

gpg --gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)

Securise the server (a bit)

You can check my other post for this https://szorfein.vercel.app/post/secure-shell.

At the minimum and like we have configuring client key, you can disable authentication by password and remove root login from ssh as we have create a 'backup' user.

$EDITOR /etc/ssh/sshd_config

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin no

Restart sshd from the server.

systemctl restart sshd

First backup with duplicity

We want to backup only our home directory here with only the most important directory. So with add ~, exclude all '**', and include only few directory --include ~/musics, --include ~/git-projects.

duplicity --encrypt-key 0xABCDEFGHIJKLMNOP --sign-key 0xQRSTUVWXYZABCDEF --include ~/git-projects --include ~/musics --exclude '**' ~ rsync://backup@192.168.1.11/backups

First backup can be very long, for example, on a poor Celeron, it have send only 4.7GB in 30minutes.

Avoid to use scp with duplicity, scp is very slow...

Restoring

For restoring the whole backups dir:

duplicity rsync://backup@192.168.1.11/backups/ ~

For specifig files/directory, try to remove a directory, e.g: rm -r ~/musics/ArabFolk

duplicity --file-to-restore musics/ArabFolk rsync://backup@192.168.1.11/backups/ ~
to comment.