Backing up your dedicated server on Scaleway Object Storage with Duplicity

• duplicity
• backup
• gpg
• s3

In this article, we will learn how to back up data from a Scaleway Instance, using Scaleway’s Object Storage service and Duplicity. Duplicity is a free and open-source tool that backs up folders to a remote server, in this case, an Object Storage bucket. Using libsync and GPG, Duplicity can make space-efficient encrypted backups.

Our objectives are to:

• Make production-ready automatic backups of our data.
• Save cost using bandwidth and space-efficient incremental backups.
• Preserve a robust layer of security and privacy with asymmetrical encryption.

To achieve this, we will:

• Create a bucket in Scaleway’s Object Storage
• Install Duplicity
• Generate a GPG key
• Combine Duplicity and Scaleway Object Storage

Although this tutorial focuses on backing up an Instance, you can also back up a dedicated server with Duplicity. When you are using a Scaleway Dedibox or a Scaleway Elastic Metal server, the data transfer is free of charge within the same region.

Before you startLink to this anchor

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• A valid API key
• An Instance running Ubuntu or Debian

Creating an Object Storage bucketLink to this anchor

Follow the instructions to create an Object Storage bucket. This bucket will be used to back up your Instance’s data.

Installing software requirementsLink to this anchor

In this step, we install the various software needed. As well as installing Duplicity itself, Duplicity needs us to generate a GPG key so that it can encrypt the data. For GPG key generation, we need to create some entropy, so we also install Haveged to generate a small amount of entropy.

Run the following command to update the APT package manager, upgrade the software already installed on the server and download and install Duplicity and the other required software:

sudo apt update && sudo apt upgrade -y
sudo apt install -y python3-pip gnupg2 haveged duplicity

Creating a GPG keyLink to this anchor

1. Generate the GPG key with the following command.

   gpg --full-generate-key
   

   Enter and remember a passphrase. You are asked to define the characteristics of your keys. We go with the default settings:

   • What kind of key you want: (1) RSA and RSA (default)
   • What key size you want: (3072)
   • How long the key should be valid: 0 = key does not expire

   GPG then asks for a name for your key, an address, and a description.

   gpg --full-generate-key
   gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   Please select what kind of key you want:
     (1) RSA and RSA (default)
     (2) DSA and Elgamal
     (3) DSA (sign only)
     (4) RSA (sign only)
   Your selection? 1
   RSA keys may be between 1024 and 4096 bits long.
   What keysize do you want? (3072) 3072
   Requested keysize is 3072 bits
   Please specify how long the key should be valid.
     0 = key does not expire
     <n>  = key expires in n days
     <n>w = key expires in n weeks
     <n>m = key expires in n months
     <n>y = key expires in n years
   Key is valid for? (0) 0
   Key does not expire at all
   Is this correct? (y/N) y
   GnuPG needs to construct a user ID to identify your key.
   Real name: backups
   Email address: me@scaleway.com
   Comment: Scaleway Object Storage backups
   You selected this USER-ID:
     backups (Scaleway Object Storage backups) <me@scaleway.com>
   Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
   We need to generate a lot of random bytes. It is a good idea to perform
   some other action (type on the keyboard, move the mouse, utilize the
   disks) during the prime generation; this gives the random number
   generator a better chance to gain enough entropy.
   gpg: key XXXXXXXXXXXXXXXX marked as ultimately trusted
   public and secret key created and signed.
   pub   rsa3072  2020-03-26 [SC]
     XXXXXXXXXXXXX-FINGERPRINT-XXXXXXXXXXXXXX
   uid                      backups (Scaleway Object Storage backups) <me@scaleway.com>
   sub   rsa3072  2020-03-26 [E]
   

2. Copy the GPG key fingerprint (its location in the output is shown above), which could be an 8, 16 or 40 char long hash. You can also find the fingerprint of your key with the following command:

   gpg --list-keys
   gpg: checking the trustdb
   gpg: marginals needed: 3  completes needed: 1  trust model: pgp
   gpg: depth: 0  valid: 1  signed: 0  trust: 0-, 0q, 0n, 0m, 0f, 1u
   /home/me/.gnupg/pubring.kbx
   ------------------------------
     pub rsa3072 2020-03-26 [SC]
       XXXXXXXXXXXXX-FINGERPRINT-XXXXXXXXXXXXXX
     uid 		[ultimate] backups (Scaleway Object Storage backups) <me@scaleway.com>
     sub rsa3072 2020-03-26 [E]
   

gpg --armor --export backups
gpg --armor --export-secret-key backups

Combining Duplicity and ScalewayLink to this anchor

As everything is installed and ready, we will now configure and script our interactions between our server and the cloud.

Editing the configurationLink to this anchor

1. Create our initial, empty script files and log files and make them executable.

       touch scw-backups.sh scw-restore.sh .scw-configrc
       chmod 700 scw-backups.sh scw-restore.sh
       chmod 600 .scw-configrc
       mkdir -p /var/log/duplicity
       touch /var/log/duplicity/logfile{.log,-recent.log}
   

2. Create a config file ~/.scw-backup.env. Make sure you replace the necessary values with the details of your Scaleway API key, Object Storage bucket, and GPG key. You also need to enter a path to the folder you want to back up:

   # Scaleway credentials keys
   export AWS_ACCESS_KEY_ID="<SCALEWAY ACCESS KEY>"
   export AWS_SECRET_ACCESS_KEY="<SCALEWAY SECRET KEY>"
   export SCW_REGION="<REGION OF YOUR BUCKET>s"
   export SCW_ENDPOINT_URL="https://s3.${SCW_REGION}.scw.cloud"
   export SCW_BUCKET="s3://<YOUR BUCKET NAME>"
   # GPG Key information
   export GPG_FINGERPRINT="<YOUR GPG KEY FINGERPRINT>"
   export PASSPHRASE="<YOUR GPG KEY PASSPHRASE>"
   # Folder to backup
   export SOURCE="/path/to/backup"
   # Will keep backup up to 1 month
   export KEEP_BACKUP_TIME="1M"
   # Will make a full backup every 10 days
   export FULL_BACKUP_TIME="10D"
   # Log files
   export LOGFILE_RECENT="/var/log/duplicity/logfile-recent.log"
   export LOGFILE="/var/log/duplicity/logfile.log"
   

The backup policy described here makes a full backup every 10 days and removes all backups older than one month.

Backup scriptLink to this anchor

Using the configuration and Duplicity, we automatize the backup process with the scw-backups.sh script.

1. Copy the following script to scw-backups.sh:

   #!/bin/bash
   source ~/.scw-backup.env
   mkdir -p /var/log/duplicity
   touch "$LOGFILE_RECENT" "$LOGFILE"
   currently_backuping=$(pgrep -f duplicity | wc -l)
   if [ "$currently_backuping" -eq 0 ]; then
     echo "$(date '+%F %T') >>> Removing old backups" >> "$LOGFILE_RECENT"
     duplicity remove-older-than "$KEEP_BACKUP_TIME" "$SCW_BUCKET" \
       --s3-endpoint-url "$SCW_ENDPOINT_URL" \
       --s3-region-name "$SCW_REGION" >> "$LOGFILE_RECENT" 2>&1
     echo "$(date '+%F %T') >>> Running backup" >> "$LOGFILE_RECENT"
     duplicity \
       incr --full-if-older-than "$FULL_BACKUP_TIME" \
       --asynchronous-upload \
       --encrypt-key="$GPG_FINGERPRINT" \
       --sign-key="$GPG_FINGERPRINT" \
       --s3-endpoint-url "$SCW_ENDPOINT_URL" \
       --s3-region-name "$SCW_REGION" \
       "$SOURCE" "$SCW_BUCKET" >> "$LOGFILE_RECENT" 2>&1
     cat "$LOGFILE_RECENT" >> "$LOGFILE"
   fi
   

2. Make the script executable:

   chmod +x ~/scw-backup.sh
   

3. Run the script ./scw-backups.sh to make sure the configuration is correctly set. Check the Object Storage bucket on the Scaleway console to see the backup files, or examine the logs with the following command:

   cat /var/log/duplicity/logfile-recent.log
   

Script the recovery of dataLink to this anchor

Duplicity also allows you to recover a backup. We will create a script to make the process easier.

1. Add the following script to scw-restore.sh:

   #!/bin/bash
   source ~/.scw-backup.env
   if [ $# -lt 2 ]; then
     echo "Usage: $0 <time or delta> [file to restore] <restore dir>"
     exit 1
   fi
   if [ $# -eq 2 ]; then
     duplicity \
       --s3-endpoint-url "$SCW_ENDPOINT_URL" \
       --s3-region-name "$SCW_REGION" \
       --time "$1" \
       "$SCW_BUCKET" "$2"
   elif [ $# -eq 3 ]; then
     duplicity \
       --s3-endpoint-url "$SCW_ENDPOINT_URL" \
       --s3-region-name "$SCW_REGION" \
       --time "$1" \
       --file-to-restore "$2" \
       "$SCW_BUCKET" "$3"
   fi
   

2. Make the script executable:

   chmod +x ~/scw-restore.sh
   

Automation of the backupsLink to this anchor

1. Use the command crontab -e to edit your crontab file and add the line to create a script that will run twice a day at 1:00 and 13:00 (1 AM and 1 PM):

       crontab -e
   

2. Select your editor and write:

       PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
       SHELL=/bin/bash
       00 1,13 * * * <FULL PATH TO>/scw-backups.sh > /dev/null 2>&1
   

ConclusionLink to this anchor

We created an automatic backup using Duplicity, hosting the encrypted data on Scaleway’s Object Storage. We are able to recover specific files or the entire backup itself at a given date.

To continue your implementation, you may want to consider the following:

• Duply, giving you a front-end view of the backups.
• Backing up more than one folder using “SOURCE=/” and the --include= and --exclude= options of duplicity.
• Adapt the backup policy with more frequent backups, that are conserved.