Dev ops

Back up a Linux device to a Synology NAS using duplicity and rsync

How to backup your Linux workstation or server to a NAS using rsync and duplicity?

This article explains how you can create backups of your Linux workstation or server data to your NAS using rsync and duplicity. Why duplicity? Because I wanted to have my data on the NAS to be encrypted and rsync is ‘only helping with the copy process’ and not dealing with data encryption. Duplicity will create 25mo encrypted tar files on your device and send them securely to your NAS with rsync.

I’m using a Synology NAS with DSM7 beta. I will assume that you already have an SSH key on your local device and can connect to your NAS with it.

Setting up the NAS

  1. Make sure User home is enabled
‘User home’ settings in DSM 7 beta
  1. Create a new user for your backups, I will be very original, call it backups, and give it rsync permissions
  2. Check that ssh is active and your firewall settings let rsync and ssh go through.
Enabling SSH
  1. As an admin, ssh to your NAS and edit the sshd config file sudo vim /etc/ssh/sshd_config to uncomment the lines PubkeyAuthentication yes and AuthorizedKeysFile .ssh/authorized_keys. This will allow rsync to connect using ssh public keys authentication.
  2. Restart the SSH service. This must be doable with the command line but it has changed with the new DSM beta version I’m using. This would work: in Control panel > Terminal & SNMP disable and re-enable the option.
  3. Give temporary admin rights to the backups user so you can connect as it via ssh. Then connect to your server with.
The admin panel
  1. In the backups account home folder, create a file .ssh/authorized_keys and copy your local device public key in it. You might want to generate a brand new one just for the backups (local public keys are in ~/.ssh/
  2. Create a folder in the backups home folder where the files will be copied (I’ll create ~/laptop).
  3. To allow access to rsync, give the following permissions:
    chmod 0711 ~
    chmod 0711 ~/.ssh
    chmod 0600 ~/.ssh/authorized_keys
  4. Optional: You can exit the SSH session and check if it worked by trying to ssh to your server again, it shouldn’t ask for a password anymore.
  5. Remove admin permissions to the backups account.

Setting up the local device

GPG encryption

On your Linux device generate a gpg key for duplicity: gpg --gen-key [--homedir=/root/.gnupg]
Add the –homedir if you plan on using the gpg key in cron (as I do below). Without it root user won’t be able to find the gpg key.

Take note of your new key ID (you can always find it with gpg --list-keys.

The GPG public ID

Make sure you keep a copy of the private key somewhere safe, for when you need to import your backups (you can use gpg --export-secret-key -a "" > gpg_private.asc).

Setting up daily backups with crontab

I want my backups to be done incrementally every morning and fully once a month. I will use cron as root so files to backup are not locked.
The folders I want to backup are:

  • /etc
  • /var, excluding /var/run and /var/log
  • /home, excluding /home/*/.cache, /home/*/.local/share/Trash, and some personal folders

Create a script to run duplicity, here is mine, update it for your needs:

# Script created on 2121-03-08
# This script backups a linux device with Duplicity.
# Full backups are made monthly.
# Incremental backups are made daily.
set -e -u
GPG_KEY=<your gpg key>
GPG_PASS=<your gpg password>


echo "------------------------------"
echo "${NOW} - Backup is starting…"
echo "------------------------------"

echo "Backing up /etc"
# this rsync command is only to make sure that the /etc folder exists on the NAS before starting the backup.
rsync -av --exclude='/*/*' /etc backups@$SERVER_ADDRESS:laptop
duplicity --full-if-older-than 1M --gpg-options "--homedir=/root/.gnupg" --encrypt-key $GPG_KEY --log-file $LOG_FILE /etc rsync://$BACKUP_USER@$SERVER_ADDRESS:/laptop/etc

echo "Backing up /var"
rsync -av --exclude='/*/*' /var backups@$SERVER_ADDRESS:laptop
duplicity --full-if-older-than 1M --gpg-options "--homedir=/root/.gnupg" --encrypt-key $GPG_KEY --log-file $LOG_FILE --exclude /var/tmp --exclude /var/run --exclude /var/log /var rsync://$BACKUP_USER@$SERVER_ADDRESS:/laptop/var

echo "Backing up /home"
rsync -av --exclude='/*/*' /home backups@$SERVER_ADDRESS:laptop
duplicity --full-if-older-than 1M --gpg-options "--homedir=/root/.gnupg" --encrypt-key $GPG_KEY --log-file $LOG_FILE \
     --exclude /home/*/.cache \
     --exclude /home/*/.local/share/Trash \
     --exclude "/home/remi/VirtualBox VMs" \
     /home rsync://$BACKUP_USER@$SERVER_ADDRESS:/laptop/home

echo "Backing up is done."
exit 0

Using sudo crontab -e I’ve added the following line at the end so it runs my script everyday at 9am: 00 09 * * * sh -x /home/remi/

Tip: you can redirect the cron output to a file for debugging: 00 09 * * * sh -x /home/remi/ > /home/remi/debugCron.txt 2>&1

Extra duplicity commands

Restore a backup

This command restores the /etc folder from the NAS to the /home/remi/restored_etc target directory:

sudo PASSPHRASE=<gpg password> duplicity --gpg-options "--homedir=/root/.gnupg" --encrypt-key=<gpg key id> rsync://backups@ /home/remi/restored_etc

Verify a backup

This command checks the distant /etc backup.

sudo PASSPHRASE=<gpg password> duplicity verify --gpg-options "--homedir=/root/.gnupg" --encrypt-key=<gpg key id> rsync://backups@ /etc

Restore a specific file

The following command restores the vsftpd.userlist file from the NAS to /home/remi/vsftpd.userlist:

sudo PASSPHRASE=<gpg password> duplicity restore --file-to-restore vsftpd.userlist --gpg-options "--homedir=/root/.gnupg" --encrypt-key=<gpg key id> rsync://backups@ /home/remi/vsftpd.userlist

Remove old backups

To remove old backups (here for more than 6 months old):

sudo PASSPHRASE=<gpg password> duplicity remove-older-than 6M --gpg-options="--homedir=/root/.gnupg" --encrypt-key=<gpg key id> rsync://backups@


A few articles that helped me setting up this configuration:


Leave a Reply

Your email address will not be published. Required fields are marked *