Encrypted Remote Backups via Rsync?
Solution 1
I would take a look at Duplicity. It is free and easy to use.
Duplicity will do full and incremental backups and transfer them using rsync, FTP, SFTP, etc.
Duplicity uses GPG to encrypt the backups and uses signature files and what not.
I use it to backup my email servers and it is fantastic, one simple batch file.
Solution 2
Warning There are some security concerns regarding encfs raised by this security review. Cryfs or ecryptfs should be considered instead ## sync local unencrypted data to remote encrypted backups via rsync ..
## mount read-only encrypted virtual copy of unencrypted local data :
encfs --reverse --idle=60 -o ro ~/data/ ~/.tmp_encrypted_data/
## rsync push local encrypted virtual copy of data to remote encrypted copy :
rsync -ai --whole-file ~/.tmp_encrypted_data/ [email protected]:backup/
## unmount encrypted virtual copy of local data :
fusermount -u ~/.tmp_encrypted_data/
Solution 3
rsyncrypto has been written exactly for this purpose. It allows you to leverage rsync's delta-copy algorithm while encrypting your data locally and storing the encrypted blobs remotely.
However, keep in mind that rsyncrypto makes a tradeoff between security and performance.
Solution 4
Here is my backup script based on Thor's answer (still valid several years later!). It adds copying of file .encfs6.xml as needed for later decryption (not needed on 2011?), creation of temporary folder for encrypted mount and reading of encryption password from file (for automated scripting):
#!/bin/bash
SOURCE=/home/jortiz/Documents/
BACKUP=/media/jortiz/BAK-EXGD/backup_ALMA_E6520/Documents
SOURCE_ENC=$(mktemp -d /tmp/source_enc.XXXXXX)
echo "Created temporary folder $SOURCE_ENC ..."
## sync local unencrypted data to remote encrypted backups via rsync
# mount read-only encrypted virtual copy of unencrypted local data
encfs --extpass="cat /home/jortiz/.passbackup" --reverse --idle=60 -o ro $SOURCE $SOURCE_ENC
# rsync push local encrypted virtual copy of data to remote encrypted copy
rsync -ai --whole-file $SOURCE_ENC/ $BACKUP
# Copy encfs xml file to backup folder for later decryption
rsync -ai --whole-file $SOURCE/.encfs6.xml $BACKUP
# unmount encrypted virtual copy of local data
fusermount -u $SOURCE_ENC
echo "Removing temporary folder $SOURCE_ENC ..."
rmdir $SOURCE_ENC
In my case, I am setting up a daily backup of my laptop and small servers to a external USB drive connected locally. I want to encrypt the backup just in case the drive disappears one day, together with some sensitive data.
Related videos on Youtube
Jake Wilson
Updated on September 17, 2022Comments
-
Jake Wilson over 1 year
I run a small modest CentOS server at my house for misc backups, etc. My friend on the other side of town also runs a small modest server at his house for similar purposes. We have been toying with the idea of using eachothers servers to do remote/offsite backups.
Basically, we'd each buy an external hdd to store at eachothers homes, hooked up to eachothers servers. Then, we'd each setup scheduled rsync's to push the appropriate data from one server to the external hdd on the other server. Pretty straightforward for the most part.
However, one thing that is important (at least for me) is data encrpytion. I want to store my data on the external hdd on my friends server. But I don't want my friend (or anyone who accesses my friend's server) to be able to read whats on the external hdd.
What is the best approach to this? Can you use rsync to send data to an encrypted hdd drive and somehow pass a passphrase along with the data that it uses to write it once it reaches the server?
-
Luma almost 14 yearsthat is what is nice about Duplicity, it encrypts it before leaving the computer but it is fully capable of doing incremental backups by reading signatures/change lists and what not, that is why I suggested it to him. The first backup will take a long time but after that he will be good to go while maintaining a nice level of security.
-
Jake Wilson almost 14 yearswow duplicity rocks and is super easy to both back and restore. Thanks for the hint!
-
Mark K Cowan over 9 yearsWow, I'd never heard of EncFS before. This is AWESOME, given I have 200GB to sync to cloud from a laptop with a 240GB disk.
-
womble almost 9 yearsHaving had a quick look at how rsyncrypto works, I'm rather terrified at the idea of anyone using it. I'd like to see a reputable cryptographer's opinion on the approach before I trusted any of my data to it.
-
gamecreature almost 8 yearsThis solution seems more optimal then the duplicity or rsyncrypto variants. It's just a simple rsync of an encrypted (virtual) version of your files. That's just what was required in my situation. Problem with duplicity is the BIG full-backup. Problem with rsyncrypto is the requirement of a copy of your data. EncFS just encrypts it when rsync reads the data.. :D
-
Jerry about 4 yearsThe link in this answer is dead as of 2020-04-19.
-
Marcel Waldvogel almost 4 yearsIf you just want to copy data to a local USB disk, I recommend using full-disk encryption (with LUKS) and then doing
rsync --link-dest
to the drive. I expect this to be faster, more private, and using more proven technology, which is always good for backup. This has been rock-solid in my experience (and I had many backup disappointments, e.g. with TimeMachine to remote storage, Duplicity, and Btrfs with Snapshots). There are several examples forrsync --link-dest
uses out there, e.g. netfuture.ch/2013/08/… -
Jesse the Wind Wanderer almost 4 yearsUpdates the dead link as of 2020-06-26 to duplicity.nongnu.org
-
veio over 3 yearsHow do you access this data again?
-
mivk over 2 yearsThe web site moved again. I updated the link, which is now duplicity.gitlab.io/duplicity-web