[http://packages.debian.org/duplicity duplicity] is a very useful tool to make remote unassisted backups. The backups can be incremental, encrypted, and over a variety of transports. Here is the example of setup to backup various directories remotely. Other tools such as [http://packages.debian.org/backupninja backupninja] can be used for the same purpose.

$ su
# apt-get install duplicity keychain
 [...]
# ssh-keygen -t dsa
 [...]
# gpg --gen-key
 [...]
# umask 077
# touch /root/backup.sh /root/.duplicity.conf
# ls -la /root/backup.sh /root/.duplicity.conf
-rwx------  1 root root 0 2006-01-16 06:47 /root/backup.sh
-rw-------  1 root root 0 2006-01-16 06:47 /root/.duplicity.conf

Example of duplicity script file /root/backup.sh

# uncomment for debug
#set -x

source /root/.duplicity.conf

# duplicity command
DUPEXEC="duplicity --encrypt-key $ENCRKEY --sign-key $SIGNKEY $DUPOPTS $*"
# loop on directories
echo -n ---- Incremental backup of $HOSTNAME ---- ;date
for i in $BACKDIRS
do
  echo Starting backup of directory /$i
  # create directory, then backup, then erase old backups
  $MKDIR $LPATH/$i && $DUPEXEC /$i $RPATH/$i && $DUPEXEC $RPATH/$i
  # verify backup integrity
  #$DUPEXEC --verify $RPATH/$i /$i
done
#  if local, fix permissions
if [ -z $HOST ]; then chown -R $NAME.$NAME $LPATH; fi
echo -n ---- Finished backup on $HOSTNAME ---- ;date

Example of settings file /root/.duplicity.conf

# path to backup to
LPATH=/home/babar/precious/$HOSTNAME

## 1. remote settings
# remote host
HOST=remotehostname
# remote login (user for backup on server)
NAME=babar
# send over ssh
RPATH=scp://$NAME@$HOST/$LPATH

## 2. local settings
# remote host *empty*
#HOST=
# user name to change ownership too to
#NAME=babar
# RPATH now uses file://
#RPATH=file://$LPATH

# complete with root gpg signature and encryption key
SIGNKEY=XXXXXXXX
ENCRKEY=$SIGNKEY
# yes, we need to store the gpg pass phrase in clear somewhere
export PASSPHRASE='XXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

# local list of directories to backup
BACKDIRS='etc var/lib/dpkg var/log var/mail usr/loca/more/XXX
opt/another/dirXXXXXXX'

# full '/' backup setting
#BACKDIRS=/
#DUPOPTS='--exclude /proc --exclude /mnt --exclude /tmp'

# duplicity options (backup.sh also accepts command line arguments)
DUPOPTS=
# cleanup (really needs --force)
DUPOPTS='--remove-older-than 2W'
# exclude patterns
DUPOPTS='$DUPOPTS --exclude **/pictures/XXX'

# load ssh agent info using keychain
[[ -f /root/.keychain/$HOSTNAME-sh ]] && \
       source /root/.keychain/$HOSTNAME-sh

export GNUPGHOME=/root/.gnupg

if [ -z $HOST ]; then
  MKDIR="mkdir -p"
else
  MKDIR="ssh $HOST mkdir -p"
fi

Testing the whole thing

Add the following to your localmachine:/root/.bashrc

keychain --nogui --clear id_dsa
. ~/.keychain/$HOSTNAME-sh

and login as root again. You should be prompted for the ssh passphrase.

Once you have also added the content of localmachine:/root/.ssh/id_dsa.pub into remotemachine:/home/babar/.ssh/authorized_keys (-rw-------), try running the script:

# /root/backup.sh
---- Incremental backup of localmachine ---- Mon Jan 16 06:49:25 GMT 2006
Starting backup of directory /home/barfoo
No signatures found, switching to full backup.
--------------[ Backup Statistics ]--------------
StartTime 1137394351.70 (Mon Jan 16 06:52:31 2006)
EndTime 1137394838.14 (Mon Jan 16 07:00:38 2006)
ElapsedTime 486.44 (8 minutes 6.44 seconds)
SourceFiles 26330
SourceFileSize 677134571 (646 MB)
NewFiles 4185
NewFileSize 125189830 (119 MB)
DeletedFiles 0
ChangedFiles 1
ChangedFileSize 2190 (2.14 KB)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 4186
RawDeltaSize 99926952 (95.3 MB)
TotalDestinationSizeChange 45211649 (43.1 MB)
Errors 0
-------------------------------------------------

No old backup sets found, nothing deleted.
---- Finished backup on localmachine ---- Mon Jan 16 07:00:57 GMT 2006

The set -x line can be uncommented to debug the script.

Saving the keys

Now you have it working, you will need to backup the key, away from the machine to backup and from the remote backup storage. Somewhere safe, such as a usb key:

$ cd /media/usbdisk
$ sudo tar zcvf root-$HOSTNAME.tar.gz /root

To make the remote machine safer, you could also set the script of the backup user to scponly.

Making it automagic

You can now run manualy the script with

$ sudo /root/backup.sh

(you will need to add the ssh key to keychain after a reboot).

To recreate a full backup, add the --full flag. To delete the old backups, use --force.

To add it to cron:

$ sudo crontab -e

and put something like:

# m h  dom mon dow command
33 23  *   *   1-6   /root/backup.sh
# full backup every sunday, deleting old ones
33 23  *   *   7   /root/backup.sh --full --force

More infos

For more, man duplicity, or read the [http://www.nongnu.org/duplicity/duplicity.1.html online manpage] at the [http://www.nongnu.org/duplicity/ duplicity webpage]