创建加密的FTP备份与重复和重复在Debian Squeeze
当您现在租用专用服务器时,几乎所有的提供商都可以在其中一个提供商的备份系统上为您的服务器提供FTP备份空间。 本教程将介绍如何通过FTP在提供商的远程备份服务器上使用重复和重复创建加密(以便无权访问备份服务器的人员可以在备份中读取敏感数据)备份。 duply是一个双重包装脚本,允许我们在没有交互的情况下使用重复(即,您不必键入任何密码)。
我不会保证这将为您工作!
1初步说明
在本教程中,我调用备份服务器backup.example.com ,其中我有一个具有用户名backupuser和密码密码的FTP帐户。 在我自己的服务器上,我想备份目录/ home / exampleuser 。
2安装重复
首先我们确保我们的系统是最新的:
apt-get update
apt-get upgrade
然后我们安装重复如下:
apt-get install duplicity ncftp
3我们的第一个备份
现在我们来做第一个备份:
FTP_PASSWORD=secret duplicity /home/exampleuser ftp://backupuser@backup.example.com/
root@server1:/home/exampleuser# FTP_PASSWORD=secret duplicity /home/exampleuser ftp://backupuser@backup.example.com/
NcFTP version is 3.2.4
GnuPG passphrase:
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
No signatures found, switching to full backup.
Retype passphrase to confirm:
--------------[ Backup Statistics ]--------------
StartTime 1341339005.14 (Tue Jul 3 20:10:05 2012)
EndTime 1341339006.46 (Tue Jul 3 20:10:06 2012)
ElapsedTime 1.32 (1.32 seconds)
SourceFiles 53
SourceFileSize 13494139 (12.9 MB)
NewFiles 53
NewFileSize 13494139 (12.9 MB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 53
RawDeltaSize 13461371 (12.8 MB)
TotalDestinationSizeChange 4687992 (4.47 MB)
Errors 0
-------------------------------------------------
root@server1:/home/exampleuser#
如您所见,您将被要求输入GnuPG密码。 您可以输入您喜欢的任何密码; 每次运行重复时都必须这样做。 备份将在GnuPG的帮助下进行加密。 权限和所有权将保留在备份中。
要在备份服务器的子目录中创建备份,您可以修改命令,如下所示:
FTP_PASSWORD=secret duplicity /home/exampleuser ftp://backupuser@backup.example.com/subdirectory
当您第一次运行重复时,它将创建一个完整的备份; 之后,它创建增量备份。 要强制重新创建完整备份,您可以使用完整的开关:
FTP_PASSWORD=secret duplicity full /home/exampleuser ftp://backupuser@backup.example.com/
要从备份中排除目录,例如/ home / exampleuser / tmp ,可以使用--exclude开关:
FTP_PASSWORD=secret duplicity --exclude /home/exampleuser/tmp /home/exampleuser ftp://backupuser@backup.example.com/
如果您正在备份根目录/ ,请记住--exclude / proc ,否则重复可能会崩溃。
要了解有关可用的重复选项的更多信息,请查看
man duplicity
4还原备份
现在我们假设我们删除了/ home / exampleuser中的所有内容 ,并希望从FTP备份中还原它。 这是如何做的:
FTP_PASSWORD=secret duplicity ftp://backupuser@backup.example.com/ /home/exampleuser
请注意,在这种情况下,远程位置来到本地文件夹!
5自动备份与重复
因为每次使用GnuPG密码时,都要求GnuPG密码,所以很难将其用于自动备份(例如通过cron)。 幸运的是,有一个重复的包装器脚本,它允许我们在不要求输入密码的情况下调用重复。
首先我们生成一个重复使用的GnuPG密钥(这样我们就不必再输入密码了):
gpg --gen-key
server1:/ home / exampleuser#gpg --gen-key gpg(GnuPG)1.4.10; 版权所有(C)2006免费软件基金会 该程序附带绝对无担保。 这是免费软件,欢迎您重新分发 在某些条件下 有关详细信息,请参阅文件COPYING。 请选择你想要的那种密钥: (1)DSA和Elgamal(默认) (2)DSA(仅限符号) (5)RSA(仅限符号) 你的选择? < - ENTER DSA密钥对将有1024位。 ELG-E键可以在1024到4096位之间。 你想要什么键 (2048) < - ENTER
请求的密钥大小是2048位 请指定密钥应该有效的时间。 0 =键不会过期 <n> =密钥在n天过期 <n> w =密钥在n周内到期 <n> m =密钥在n个月内到期 <n> y =密钥在n年内到期 钥匙是否适用? (0) < - ENTER
钥匙根本不到期 它是否正确? (y / N) < - y
您需要一个用户ID来标识您的密钥; 软件构建用户ID 从这个形式的实名,评论和电子邮件地址: “Heinrich Heine(Der Dichter)<heinrichh@duesseldorf.de>” 真名: < - 你的名字,例如Falko Timme
电子邮件地址: < - 您的电子邮件地址,例如ft@falkotimme.com
评论: 您选择了此USER-ID: “Falko Timme <ft@falkotimme.com>” 改变(N)阿美,(C),(E)邮件或(O)凯/(Q)uit? < - O
你需要一个密码来保护你的密钥。 < - 输入您所需的密码(两次确认)
现在将生成密钥。 打开第二个控制台并输入一些字母是一个好主意,以便随机数生成器可以获得足够的熵:
我们需要生成大量随机字节。 这是一个好主意 一些其他动作(键入键盘,移动鼠标,利用 磁盘); 这给出随机数 产生更好的机会获得足够的熵。 .... +++++ +++++ 我们需要生成大量随机字节。 这是一个好主意 一些其他动作(键入键盘,移动鼠标,利用 磁盘); 这给出随机数 产生更好的机会获得足够的熵。 .... +++++ +++++ gpg:/root/.gnupg/trustdb.gpg:创建trustdb gpg:键 7C6E958B 标记为最终信任 公共和秘密密钥创建和签名。 gpg:检查trustdb gpg:需要3个边缘,需要1个完整的PGP信任模型 gpg:depth:0 valid:1 signed:0 trust:0-,0q,0n,0m,0f,1u 酒吧1024D / 7C6E958B 2007-12-10 钥匙指纹= 1FDC 60FB 8A27 90D8 553C 3C3E 8E1F 66F7 7C6E 958B uid Falko Timme <ft@falkotimme.com> sub 2048g / F1BB98F4 2007-12-10 server1:/ home / exampleuser#
我突出显示了密钥ID( 7C6e958B ),因为我们需要一段时间。
接下来我们下载duply:
cd /tmp
wget http://downloads.sourceforge.net/project/ftplicity/duply%20%28simple%20duplicity%29/1.5.x/duply_1.5.7.tgz
tar xvfz duply_1.5.7.tgz
cp duply_1.5.7/duply /usr/local/bin
要使用duply,我们需要创建至少一个配置文件。 由于我在本教程中备份/ home / exampleuser ,所以我调用profile exampleuser 。 我们可以创建如下的配置文件:
duply exampleuser create
这将创建目录/root/.duply/exampleuser ,并在其中配置 duply配置文件。 打开文件:
vi /root/.duply/exampleuser/conf
此文件中最重要的设置是:
-
GPG_KEY:我们的GnuPG密钥的ID; -
GPG_PW:我们创建GnuPG密钥时输入的密码; -
目标:备份服务器(包括FTP用户名); -
TARGET_PASS:备份服务器中的FTP密码; -
SOURCE:源目录(即要备份的目录); -
MAX_AGE:最旧备份的时代; 旧的备份将被删除; -
VERBOSITY:重复显示在屏幕上的信息量; -
TEMP_DIR:临时文件的目录; 当您还原备份时,该目录必须至少有足够的空间用于备份中最大的文件。
我的文件如下
# gpg encryption settings, simple settings:
# GPG_KEY='disabled' - disables encryption alltogether
# GPG_KEY='<key1>[,<key2>]'; GPG_PW='pass' - encrypt with keys, sign
# with key1 if secret key available and use GPG_PW for sign & decrypt
# GPG_PW='passphrase' - symmetric encryption using passphrase only
GPG_KEY='7C6E958B'
GPG_PW='gpg_key_password'
# gpg encryption settings in detail (extended settings)
# the above settings translate to the following more specific settings
# GPG_KEYS_ENC='<keyid1>,[<keyid2>,...]' - list of pubkeys to encrypt to
# GPG_KEY_SIGN='<keyid1>|disabled' - a secret key for signing
# GPG_PW='<passphrase>' - needed for signing, decryption and symmetric
# encryption. If you want to deliver different passphrases for e.g.
# several keys or symmetric encryption plus key signing you can use
# gpg-agent. Add '--use-agent' to the duplicity parameters below.
# also see "A NOTE ON SYMMETRIC ENCRYPTION AND SIGNING" in duplicity manpage
# notes on en/decryption
# private key and passphrase will only be needed for decryption or signing.
# decryption happens on restore and incrementals (compare archdir contents).
# for security reasons it makes sense to separate the signing key from the
# encryption keys. https://answers.launchpad.net/duplicity/+question/107216
#GPG_KEYS_ENC='<pubkey1>,<pubkey2>,...'
#GPG_KEY_SIGN='<prvkey>'
# set if signing key passphrase differs from encryption (key) passphrase
# NOTE: available since duplicity 0.6.14, translates to SIGN_PASSPHRASE
#GPG_PW_SIGN='<signpass>'
# gpg options passed from duplicity to gpg process (default='')
# e.g. "--trust-model pgp|classic|direct|always"
# or "--compress-algo=bzip2 --bzip2-compress-level=9"
# or "--personal-cipher-preferences AES256,AES192,AES..."
#GPG_OPTS=''
# disable preliminary tests with the following setting
#GPG_TEST='disabled'
# credentials & server address of the backup target (URL-Format)
# syntax is
# scheme://[user:password@]host[:port]/[/]path
# probably one out of
# file://[/absolute_]path
# ftp[s]://user[:password]@other.host[:port]/some_dir
# hsi://user[:password]@other.host/some_dir
# cf+http://container_name
# imap[s]://user[:password]@host.com[/from_address_prefix]
# rsync://user[:password]@other.host[:port]::/module/some_dir
# # rsync over ssh (only keyauth)
# rsync://user@other.host[:port]/relative_path
# rsync://user@other.host[:port]//absolute_path
# # for the s3 user/password are AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY
# s3://[user:password]@host/bucket_name[/prefix]
# s3+http://[user:password]@bucket_name[/prefix]
# # scp and sftp are aliases for the ssh backend
# ssh://user[:password]@other.host[:port]/some_dir
# tahoe://alias/directory
# webdav[s]://user[:password]@other.host/some_dir
# ATTENTION: characters other than A-Za-z0-9.-_.~ in user,password,path have
# to be replaced by their url encoded pendants, see
# http://en.wikipedia.org/wiki/Url_encoding
# if you define the credentials as TARGET_USER, TARGET_PASS below
# duply will url_encode them for you
#TARGET='scheme://user[:password]@host[:port]/[/]path'
TARGET='ftp://backupuser@backup.example.com/'
# optionally the username/password can be defined as extra variables
# setting them here _and_ in TARGET results in an error
#TARGET_USER='_backend_username_'
TARGET_PASS='secret'
# base directory to backup
SOURCE='/home/exampleuser'
# exclude folders containing exclusion file (since duplicity 0.5.14)
# Uncomment the following two lines to enable this setting.
#FILENAME='.duplicity-ignore'
#DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
# Time frame for old backups to keep, Used for the "purge" command.
# see duplicity man page, chapter TIME_FORMATS)
MAX_AGE=1M
# Number of full backups to keep. Used for the "purge-full" command.
# See duplicity man page, action "remove-all-but-n-full".
#MAX_FULL_BACKUPS=1
# activates duplicity --full-if-older-than option (since duplicity v0.4.4.RC3)
# forces a full backup if last full backup reaches a specified age, for the
# format of MAX_FULLBKP_AGE see duplicity man page, chapter TIME_FORMATS
# Uncomment the following two lines to enable this setting.
#MAX_FULLBKP_AGE=1M
#DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
# sets duplicity --volsize option (available since v0.4.3.RC7)
# set the size of backup chunks to VOLSIZE MB instead of the default 25MB.
# VOLSIZE must be number of MB's to set the volume size to.
# Uncomment the following two lines to enable this setting.
#VOLSIZE=50
#DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "
# verbosity of output (error 0, warning 1-2, notice 3-4, info 5-8, debug 9)
# default is 4, if not set
VERBOSITY=4
# temporary file space. at least the size of the biggest file in backup
# for a successful restoration process. (default is '/tmp', if not set)
TEMP_DIR=/tmp
# Modifies archive-dir option (since 0.6.0) Defines a folder that holds
# unencrypted meta data of the backup, enabling new incrementals without the
# need to decrypt backend metadata first. If empty or deleted somehow, the
# private key and it's password are needed.
# NOTE: This is confidential data. Put it somewhere safe. It can grow quite
# big over time so you might want to put it not in the home dir.
# default '~/.cache/duplicity/duply_<profile>/'
# if set '${ARCH_DIR}/<profile>'
#ARCH_DIR=/some/space/safe/.duply-cache
# DEPRECATED setting
# sets duplicity --time-separator option (since v0.4.4.RC2) to allow users
# to change the time separator from ':' to another character that will work
# on their system. HINT: For Windows SMB shares, use --time-separator='_'.
# NOTE: '-' is not valid as it conflicts with date separator.
# ATTENTION: only use this with duplicity < 0.5.10, since then default file
# naming is compatible and this option is pending depreciation
#DUPL_PARAMS="$DUPL_PARAMS --time-separator _ "
# DEPRECATED setting
# activates duplicity --short-filenames option, when uploading to a file
# system that can't have filenames longer than 30 characters (e.g. Mac OS 8)
# or have problems with ':' as part of the filename (e.g. Microsoft Windows)
# ATTENTION: only use this with duplicity < 0.5.10, later versions default file
# naming is compatible and this option is pending depreciation
#DUPL_PARAMS="$DUPL_PARAMS --short-filenames "
# more duplicity command line options can be added in the following way
# don't forget to leave a separating space char at the end
#DUPL_PARAMS="$DUPL_PARAMS --put_your_options_here " |
