Duplicity - backup with encryption

We have already written about the possibilities of using our cloud storage for backup. Archiving and backup to the repository is carried out using a wide range of software; A list of such programs is published on our website, which is regularly updated.

Recently we learned about another interesting tool - Duplicity . Duplicity not only archives data and downloads it to a local or remote file server, but also encrypts it with the GnuPG utility, thereby providing additional protection.

Why do you need encryption?

Backup, as is known, is necessary in order to ensure the safety of the most valuable and important information. By itself, saving a backup copy in a remote repository (even if in the most reliable one) is not a sufficient measure to protect it. The fact that absolutely all of our information is vulnerable and can be used against us is not told today only by the lazy. In the news every now and then there are reports of tricks that cybercriminals use to gain access to secret documents. Half a year ago, the previously unknown American citizen Edward Snowden caused quite a stir throughout the world, telling how intelligence services use information technology to spy on people.
')
Of course, all the fried details, replicated by journalists, should be divided into ten, as they say. However, the fact remains that there are many different ways in which attackers can gain access to confidential data. In such a situation, an effective protection measure can be encryption of these very data: they are protected by a code word or key, and only those users who know this code word can get access to it.

Of course, an attacker may well, for example, pick a password and download an encrypted file from a remote repository.

But if he does not know the code word, he will not be able to open this file. On the selection of the code word may take more than one year.

Duplicity supports various protocols for connecting to a file server: SSH / SCP, FTP, HSI, WebDAV, Tahoe-LAFS, and Amazon S3. With support for OpenStack Swift, the situation is somewhat more complicated.

The official man page states that this requires additional modules and plug-ins, but there is no detailed recommendation for their installation and configuration. Below we describe how to “make friends” Duplicity with our repository.

Installation and Setup

The Duplicity program is included in the repositories of most modern Linux systems and is installed using the standard package manager:

$ sudo apt-get install duplicity


To work with cloud storage, the client machine must have the python-swiftclient and librsync packages installed:

 $ sudo apt-get install python-swiftclient
 $ sudo apt-get install librsync-dev

Now you need to install the swiftbackend plugin. First we clone the corresponding repository with the launchpad (for this, you will also need to install the Bazaar version control system on the client machine - Launchpad uses it):

 $ sudo apt-get install bzr
 $ bzr branch lp: ~ mhu-s / duplicity / swiftbackend

Then execute the following command:

cd swiftbackend && sudo python dist/setup.py install


When the installation is complete, Duplicity will be ready to work with the cloud storage.

Backup Setup

Now open any text editor and write a small backup script:

 # Authorization data for connecting to the repository
 export SWIFT_USERNAME = "username"
 export SWIFT_PASSWORD = "password to access the repository"
 export SWIFT_AUTHURL = "https://auth.selcdn.ru"

 # Performing archiving 
 duplicity / path to folder / on client machine swift: // name of container in storage

 # Clear authorization data for security
 unset SWIFT_USERNAME
 unset SWIFT_PASSWORD
 unset SWIFT_AUTHURL

Save this file as, for example, backup.sh and make it executable (chmod + x backup.sh). After that execute the following command:

$ ./backup.sh


Next, GnuPG will ask for a code word to access the files.
After this, the backup will start. The statistics will be displayed in the console:

 -------------- [Backup statistics] --------------
 StartTime 1391068911.00 (Thu Jan 30 12:01:51 2014)
 EndTime 1391068911.02 (Thu Jan 30 12:01:51 2014)
 ElapsedTime 0.02 (0.02 seconds)
 Sourcefiles 5
 SourceFileSize 190210 (186 KB)
 NewFiles 5
 NewFileSize 190210 (186 KB)
 DeletedFiles 0
 ChangedFiles 0
 ChangedFileSize 0 (0 bytes)
 ChangedDeltaSize 0 (0 bytes)
 DeltaEntries 5
 RawDeltaSize 186114 (182 KB)
 TotalDestinationSizeChange 185217 (181 KB)
 Errors 0
 -------------------------------------------------- ---------------

New files will be added to the specified cloud storage container:

duplicity-full-signatures.20140130T073550Z.sigtar.gpg
duplicity-full.20140130T073550Z.manifest.gpg
duplicity-full.20140130T073550Z.vol1.difftar.gpg


To download an encrypted backup from storage to a local machine, you need to write a script containing the same authorization data and differing from the above command line only:

duplicity swift:// // / /


Save this script as restore.sh and make the corresponding file executable.

When executing the ./restore.sh command, GnuPG will prompt for a codeword. After entering the code word, all the files from the backup will be downloaded to the specified directory on the local machine.

Readers who are not able to comment on posts on Habré, we invite to our blog .