<ol> <li> <p>Create a backup service container.</p> </li> <li> <p>Mount the source directories in the container.</p> </li> <li> <p>Install duplicity in the container:</p> <pre><code>apt install duplicity</code></pre> </li> <li> <p>Install gnupg:</p> <pre><code>apt install gnupg</code></pre> <blockquote> <p>On some systems also python-paramiko has to be installed:</p> <pre><code>apt install python-paramiko</code></pre> </blockquote> </li> <li> <p>Create a gpg key dedicatedly for duplicity (in the keyring of the backup-service container), using the interactive shell (enter sane settings):</p> <pre><code>gpg --full-generate-key</code></pre> </li> <li> <p>Create rsa for ssh connection used to store data off-site:</p> <pre><code>ssh-keygen -b 4096</code></pre> </li> <li> <p>Add resulting <code>/root/.ssh/rsa.pub</code> key to the hosting parties' <code>~/.ssh/authorized_keys</code>.</p> </li> <li> <p>Create a <code>/root/duplicity-target-cfg.json</code> file with the information required/defining the offsite (target) location:</p> <pre><code>[ { "description": "Offsite backup target server", "url": "sftp://<user>@<server.adress.com>/<path/to/target-location>", "env": [ { "name": "PASSPHRASE", "value": "<GPG PASSPHRASE>" } ] } ]</code></pre> </li> <li> <p>Make <code>duplicity-target-cfg.json</code> owner-read/write only (to prevent the gpg-key passphrase from leaking):</p> <pre><code>chmod 600 duplicity-target-cfg.json</code></pre> </li> <li> <p>List your gpg keys and copy your gpg key's fingerprint to your clipboard:</p> <pre><code>gpg --list-keys</code></pre> </li> <li> <p>Edit that fingerprint's gpg-key to trust the key ultimately (a lesser level is not accepted by duplicity):</p> <pre><code>gpg --edit-key <fingerprint/e-mail></code></pre> <pre><code>gpg> trust</code></pre> </li> <li> <p>Create a bash script to create the backup plan:</p> <pre><code>#!/bin/bash # Configuration fingerprint=<gpg-fingerprint> source_config="<path/to/source-data-mount>" target_config="multi:///root/backup_sites.json?mode=mirror&onfail=continue" duplicity --asynchronous-upload --full-if-older-than 1W --encrypt-key ${fingerprint} ${source_config} ${target_config} duplicity remove-all-inc-of-but-n-full 1 --force --encrypt-key ${fingerprint} ${target_config} duplicity remove-all-but-n-full 4 --force --encrypt-key ${fingerprint} ${target_config} duplicity cleanup --force --encrypt-key ${fingerprint} ${target_config}</code></pre> <blockquote> <p>This result in 4 full backups (week) and increments within a single week.</p> </blockquote> </li> <li> <p>Create crontab to schedule the backup plan: </p> <pre><code>1 3 * * * flock -n /var/run/duplicity.pid bash /root/offline_backup.sh > /var/log/duplicity.log 2>&1</code></pre> </li> </ol> <p>13 Issue <code>crontab -l</code> and copy/paste command from the crontab to the commandline to test if it works.</p>