Creating Encrypted FTP Backups With duplicity And ftplicity On Debian Lenny - Page 2
5 Automatic Backups With ftplicity
Because duplicity asks for a GnuPG password everytime we use it, it's hard to use it for automatic backups (e.g. via cron). Fortunately there's ftplicity, a duplicity wrapper script, which allows us to call duplicity without being asked for a password.
First we generate a GnuPG key that ftplicity will use (so that we don't have to type in a password anymore):
gpg --gen-key
server2:/home/exampleuser# gpg --gen-key
gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? <-- ENTER
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) <-- ENTER
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) <-- ENTER
Key does not expire at all
Is this correct? (y/N) <-- y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"
Real name: <-- your name, e.g. Falko Timme
Email address: <-- your email address, e.g. [email protected]
Comment:
You selected this USER-ID:
"Falko Timme <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? <-- O
You need a Passphrase to protect your secret key. <-- Type in your desired password (twice to confirm it)
Now the key will be generated. It's a good idea to open a second console and type some letters so that the random number generator can gain enough entropy:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.++++++++++++++++++++.++++++++++..++++++++++.++++++++++++++++++++.++++++++++.++++++++++++++++++++++++++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.....+++++...+++++.++++++++++.+++++.++++++++++..++++++++++.++++++++++++++++++++++++++++++.++++++++++.++++++++++++++
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 7C6E958B marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/7C6E958B 2007-12-10
Key fingerprint = 1FDC 60FB 8A27 90D8 553C 3C3E 8E1F 66F7 7C6E 958B
uid Falko Timme <[email protected]>
sub 2048g/F1BB98F4 2007-12-10
server2:/home/exampleuser#
I've highlighted the key ID (7C6e958B) because we'll need it in a moment.
Next we download ftplicity:
cd /tmp
wget ftp://ftp.heise.de/pub/ct/listings/0613-216.tar.gz
tar xvfz 0613-216.tar.gz
cp ftplicity-1.2/ftplicity /usr/local/bin
Now we create /root/.ftplicity/conf. It has the following variables:
- GPG_KEY: the ID of our GnuPG key;
- GPG_PW: the password we typed in when we created the GnuPG key;
- ZIEL: the backup server (incl. the FTP username);
- ZIEL_PW: the FTP password in the backup server;
- QUELLE: the source directory (i.e., the directory to be backed up);
- HOECHSTALTER: the age of the oldest backup; older backups will be deleted;
- VERBOSITY: amount of information displayed on the screen by ftplicity;
- TEMP_DIR: a directory for temporary files; when you restore a backup, this directory must at least have enough space for the biggest file in the backup.
vi /root/.ftplicity/conf
# Daten fuer GPG-Schluessel GPG_KEY=7C6E958B GPG_PW='gpg_key_password' # Zugangsdaten fuer FTP-Server (URL-Format) ZIEL='ftp://[email protected]/' ZIEL_PW='secret' # Basisverzeichnis fuers Backup QUELLE='/home/exampleuser' # aeltester Wiederherstellungszeitpunkt HOECHSTALTER=1M # Ausfuehrlichkeit der Bildschirmausgaben (9 fuer Fehlersuche) VERBOSITY=4 # Verzeichnis fuer temporaere Dateien. Beim Restore muss dort # mindestens Patz fuer die groesste Datei im Backup sein TEMP_DIR=/tmp |
Afterwards we change the permissions of the file so that only root has read and write permissions:
chmod 600 /root/.ftplicity/conf
We can now create three other files, although that is totally optional:
- /root/.ftplicity/exclude: contains a list of directories to be excluded from the backup (one directory per line);
- /root/.ftplicity/pre: contains command(s) to be executed prior to the backup (e.g. create a MySQL database dump);
- /root/.ftplicity/post: contains command(s) to be executed after the backup.
Here's a sample /root/.ftplicity/exclude and /root/.ftplicity/pre file (the syntax of /root/.ftplicity/post is the same as in /root/.ftplicity/pre):
vi /root/.ftplicity/exclude
/proc /dev /sys |
chmod 600 /root/.ftplicity/exclude
vi /root/.ftplicity/pre
/usr/bin/mysqldump –-all-databases -u root -pyourrootsqlpassword > /home/exampleuser/db.sql |
(It should be noted that the database gets locked during the creation of SQL dump; this might not be an issue for a small web site, but can be a problem for high-traffic web sites - your visitors won't be able to access database-driven pages during mysqldump. Here's a link to an interruption-free MySQL backup method: How To Back Up MySQL Databases Without Interrupting MySQL)
/root/.ftplicity/pre must be executable (as well as /root/.ftplicity/post if you choose to create one):
chmod 700 /root/.ftplicity/pre
As I said before, you only need /root/.ftplicity/conf; the other files are optional.
Now ftplicity is ready to be used; to create our backup, we simply run
ftplicity backup
If all goes well, you won't be prompted for a password:
server2:~# ftplicity backup
NcFTP version is 3.2.1
Reading globbing filelist /root/.ftplicity/exclude
Last full backup date: Tue Mar 30 17:11:19 2010
--------------[ Backup Statistics ]--------------
StartTime 1269964060.17 (Tue Mar 30 17:47:40 2010)
EndTime 1269964060.25 (Tue Mar 30 17:47:40 2010)
ElapsedTime 0.08 (0.08 seconds)
SourceFiles 44
SourceFileSize 1576302 (1.50 MB)
NewFiles 0
NewFileSize 0 (0 bytes)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 0
RawDeltaSize 0 (0 bytes)
TotalDestinationSizeChange 1038 (1.01 KB)
Errors 0
-------------------------------------------------
server2:~#
To automate the backups, we can create a cron job (I create two cron jobs, one that runs daily and creates incremental backups, and one that runs once a month, creates a full backup and deletes old files):
crontab -e
# run the (incremental) backup each night at 03:23h 23 3 * * * /usr/local/bin/ftplicity backup # do a full backup once per month & delete old backups 47 4 1 * * /usr/local/bin/ftplicity full && /usr/local/bin/ftplicity purge –-force |
6 Restoring A Backup With ftplicity
Of course, you can use ftplicity also to restore a backup (again, you won't be asked for a password). The syntax is very easy:
ftplicity restore /home/exampleuser
You can take a look at the ftplicity help to learn what other options you have:
ftplicity --help
server2:~# ftplicity --help
Usage: ftplicity <command> [<options> ...]
commands:
backup: incremental backup
full: force full backup
list: list all files in the backup
status: information on backup sets
verify: list files changed since latest backup
purge [--force]:
list obsolete backup archives [and delete them]
cleanup [--force]:
purge incomplete backup archives (after crashed backup)
restore <destination path> [<age>]:
restore backup to <destination path> [as of <age>]
fetch <file/directory> <destination> [<age>]
restore single file/directory (see example)
examples:
list and delete obsolete backup archives:
ftplicity purge --force
restore latest backup to /mnt:
ftplicity restore /mnt
restore /etc/passwd from 4 days ago to /root/pw:
ftplicity fetch etc/passwd /root/pw 4D
(see "man duplicity", section TIME FORMATS)
files in /root/.ftplicity
conf main configuration file
pre will be executed befor backups
post will be executed after backups
gpgkey contains a copy of the used GPG key
exclude list of excluded files and directories
(see "man duplicity", section FILE SELECTION)
server2:~#
7 Links
- duplicity: http://duplicity.nongnu.org/
- ftplicity: http://www.heise.de/ct/06/13/links/216.shtml
- Debian: http://www.debian.org/