From ArchWiki
Revision as of 22:39, 17 May 2012 by Kynikos (talk | contribs) (some style fixes + point to Backup Programs instead of describing rdiff-backup)
Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Duplicity is a network backup program.

It can save snapshots of directories and files to a remote GnuPG encrypted tar file, which acts as a backup repository. Connecting with the remote backup repository can take place through one of the rsync, ftp, HSI, WebDAV, Tahoe-LAFS, or Amazon S3 protocols.

Backups are granularly incremental, meaning that only changes in files (since the last snapshot) are stored.


Install duplicity from the Official Repositories.

Basic Usage

Doing backups

To backup the local folder /home/me to the remote location /usr/backup on host other.host through the scp/ssh protocol, use:

duplicity /home/me scp://uid@other.host//usr/backup

The first time this command is run, it will create a full backup. Running the exact same command again causes an incremental backup to the existing backup repository.

Additional command-line options options allow to:

  • include or exclude specific files and directories from the backup (using shell patterns or regular expressions)
  • fine-tune encryption and signing of the backups

Restoring files from backup

To restore the local folder /home/me to the state of the last snapshot saved in the remote repository /usr/backup on host other.host, do:

duplicity scp://uid@other.host//usr/backup /home/me 

Note the reversed ordering or the arguments compared to the backup command above. The URL argument is always treated as the backup repository, and the local path argument as the directory to sync with the backup. (A local backup repository needs to be explicitly specify using the file:// protocol prefix!)

Additional command-line option exist to allow:

  • restore a specific file instead of the whole repository
  • restore file(s) to the state they had on a specific date, rather than to the most recent available snapshot

Repository inspection and house-keeping

Some additional command-line options exist for comparing the repository state to the state of the local files, and to delete old snapshots so as to only keep a fixed amount of snapshots or only ones that are newer than a given date.

See the man page for details.

Example backup script

## Remote backup script. Requires duplicity and gpg-agent with the keys and passphrases loaded as root.
## Uses separate encryption and signing keys
## Usage:  'backup_remote.sh'


# Keychain is used to source the gpg-agent keys when running from a cron job
type -P keychain &>/dev/null || { echo "I require keychain but it's not installed.  Aborting." >&2; exit 1; }
eval `keychain --eval web_rsa 42A79D21 E6C991E3` || exit 1

duplicity --use-agent \
         --verbosity notice \
         --encrypt-key "$enc_key" \
         --sign-key "$sign_key" \
         --full-if-older-than 60D \
         --num-retries 3 \
         --asynchronous-upload \
         --volsize 100 \
         --archive-dir /root/.cache/duplicity \
         --log-file /var/log/duplicity.log \
         --exclude /mnt/backup/fsarchiver \
         --exclude '**rdiff-backup-data' \
         "$src" "$dest"
Note: There is an issue with the current version of pinentry (0.8.1-3) that will not allow passphrase entry for a root gpg-agent when logged in as root using su - or sudo. If you are accessing a remote server where direct root ssh login is not allowed (or desired!), then you have to either patch pinentry or chown root `tty` before running pinentry. This is not an issue when running gpg-agent as a non-root user.

See also