Create the gpg key
First you have to create a gpg key for generating the backups. Either you generate a key without passphrase to allow for automatic backups or you specify the passphrase on the command line when running backups.
Key without passphrase
Generate the key:
$ gpg --quick-gen-key --passphrase "" backup
To export the key to a file first list the keys:
$ gpg -K
Then export the one you want with:
$ gpg --export $KEYID >/tmp/key.export
This can then be imported on the target machine via:
gpg --import </tmp/key.export
Key with passphrase
Same as above but without the --passphrase
part.
Create the backup
Create the batch file for the backup.
#!/bin/bash
TARGET='rsync://backup@$DOMAIN/$PATH'
KEY='--encrypt-key $key'
# create the backup, incrementally and a full one every month
duplicity incr --full-if-older-than 1M --name "$name" "$KEY" "$path" "${TARGET}/${sub_folder}"
# remove backups older than 3 months
PASSPHRASE="" duplicity remove-older-than 3M --force "$KEY" "${TARGET}/${sub_folder}"
If you have a passphrase for the gpg key, provide it as an environment variable to duplicity.
Variable | Function |
---|---|
$name |
The name of the backup, prefixed to the generated file |
$path |
The path to backup |
$sub_folder |
The sub folder where to store this on the backup machine |
To have an rsync server as above and only allow rsync login follow the guide in Rsync only SSH.