The idea is to setup daily encrypted incremental backups.

This scheme involves 3 machines: the main server to be backed up (, the backup server ( and a nagios server ( for monitoring the backups. There can be as many servers and folders to be backed of as needed of course.

All the following was done on Linux Ubuntu machines. There’s not much details, use at your own risk.

December 2018 update

I have dropped this solution in favor of rdiff-backup because of the insane amount of cache data duplicity is using.

On Your system administrator machine

  1. Prepare the GPG key to be used (adapt as needed)

    $ gpg --gen-key
    $ gpg --export D68E26B0 > sysadmin.public.gpg.asc
  2. Keep the private key safe, you’ll need it to restore backups.

On servers to be backed up

  1. Install/Upgrade duplicity

    $ sudo add-apt-repository ppa:duplicity-team/ppa
    $ sudo apt-get update
    $ apt-get install duplicity
  2. Copy the public gpg key, import it as root, and trust it (ultimate):

    # gpg --import sysadmin.public.gpg.asc
    # gpg --edit-key D68E26B0
    gpg> trust
  3. Test backup

    # LANG=en_US.UTF-8 duplicity --encrypt-key D68E26B0 /etc s
    # LANG=en_US.UTF-8 duplicity collection-status s
  4. Setup backup cron

    @daily LANG=en_US duplicity --encrypt-key D68E26B0 /etc s

Nagios monitoring

The idea is to setup a probe using the duplicity’s collection-status command to test the backup freshness.

  1. Create a SSH key for nagios user (ssh-keygen). Since nagios user has no shell associated it must be created for another user and then copied to nagios’ home .ssh/ The .ssh/known_hosts file must also be setup to contain the backup machine key certificate.

  2. Setup Nagios on

    to monitor your main server using the simple script below. This implies you are doing a daily backup, adapt as needed.

    • /usr/local/nagios/libexec/check_duplicity_backup

      #Verifying if the backup plan is working or not                                                                                                                                  
      export LANG=en_US
      duplicity collection-status $BACKUP_BASE_DIR$Host/$Folder > $TMP 2> /dev/null
      TODAY=$(LANG=en_US date +"%a %b %d")
      YESTERDAY=$(LANG=en_US date +"%a %b %d" -d yesterday)
      Latest=$(egrep "^Chain end time:" $TMP)
      rm -f $TMP
      if [[ $1 == "" ]]; then echo "Critical - Configuration Broken"; exit 2; fi
      if [[ $exitcode != 0 ]]; then echo "Critical - Check command failed"; exit 2; fi
      if [[ $Latest == "" ]]; then echo "Critical - No backup found at $BACKUP_BASE_DIR$Host/$Folder"; exit 2; fi
      if [[ $Latest == *$TODAY* ]]
          echo "OK - $Latest" 
          exit 0
      elif [[ $Latest == *$YESTERDAY* ]]
          echo "Warning - $Latest" 
          exit 1
          echo "Critical - $Latest" 
          exit 2
    • commands.cfg

      define command{
              command_name    check_duplicity_backup
              command_line    $USER1$/check_duplicity_backup $ARG1$ $ARG2$ 

      define service{
              use                             generic-service         ; Name of service template to use
              service_description             Backup /etc/
              check_command                   check_duplicity_backup!!etc
              first_notification_delay 0