Backup setup

A friend of mine recently introduced me to Backblaze B2, providing similar capabilities as Amazon S3 for a fraction of the cost. This together with duplicity is a really good solution for offsite backups. While there a few tutorials out there, I would like to highlight the most important points here.

Duplicity

Install duplicity via your package manager or whatever you use. On Manjaro, it is a simple:

pamac install duplicity

Decide for yourself what the backup policy of your liking is. Duplicity has a lot of options, so with a simple man duplicity you can learn what is possible. In my case, I just wanted a simple full backup initially followed by incremental backups for the subsequent ones. This is the standard functionality of duplicity.

Backblaze B2 Bucket

Create a Backblaze B2 Account, register a credit card etc.

Create a unique bucket name. Yes, this needs to be a unique name that no one else utilized yet. I would recommend turning on their encryption as well. We will still encrypt our files with our own methods, but two methods can not hurt and its free…

I would recommend creating an application key for your purposes specific to your bucket. Make sure to give it “read & write” access. Initially I thought that giving it write access would be enough, but duplicity may have to access the bucket and read the metadata from the bucket to understand which files changed. In case you always do full backups, it may be fine to only give it read access, I did not try this out.

Backup script

There are a lot of duplicity scripts out there, doing all kinds of complicated stuff, with verification. Now, don’t get me wrong, verification is something important and I should probably include it into my script. I just wanted something that works for now and that is fast.

In my case, I wanted to backup all of my home folder except for a few folders which were a bit too large. This included a VM (which for some reason I thought should be saved in /home/Documents/vm). Using duplicity you can exclude folders really easily though. The complete script is as follows:

#!/bin/bash

# ENVIRONMENT VARIABLES
B2_KEYID=<KEYID OF THE APPLICATION KEY>
B2_APPLICATION_KEY=<APPLCICATION KEY WHICH IS ONLY VISIBLE ONCE>
BUCKET=<BUCKET NAME>
ENCRYPT_KEY=<IDENTIFIER OF PUBLIC KEY>

# Send them to b2
duplicity --progress --use-agent --encrypt-key="$ENCRYPT_KEY" /home/Documents/ --exclude /home/Documents/vm b2://$B2_KEYID:$B2_APPLICATION_KEY@$BUCKET

# To restore:
# duplicity --use-agent b2://$B2_KEYID:$B2_APPLICATION_KEY@$BUCKET /home/restore

unset B2_KEYID
unset B2_APPLICATION_KEY
unset BUCKET
unset ENCRYPT_KEY

The variables at the top should be self-explanatory. If you want you can replace the asymmetric cryptography used with symmetric cryptography via gpg.

The progress flag is added to get some kind of info about how long it would take. The use-agent flag is more of a aesthetic thing. Since my GPG key is on the yubikey, I will have to enter a PIN to unlock the key to e.g. decrypt the files. The –use-agent will use the already running gpg-agent, which will make sure that asking for the PIN happens in an external dialog(which is the standard for me) instead of inside the shell. Really just aesthetics…

That’s it. That’s how it works. You can make a cron entry for this to run periodically if you want. Also worth it.