Projektdokumentation Backup-Server

Protokoll

Protokoll über die durchgeführte Projektarbeit

Dokumentation (max. 10 Seiten; max. 5MB groß)

Deckblatt (wird bei Seitenanzahl nicht mitgerechnet)

Projektbezeichnung: Aufbau und Einrichtung eines Backup-Servers in einem LAN für Client-Backups und zusätzlich Einrichtung einer externen Backup-Lösung.
Namen und Vornamen: Quies, Robert
Prüfungsausschuss: ITSE 02
Ausbildungsberuf: IT-Systemelektroniker
Ausbildungsstätte bzw. Praktikumsbetrieb: itw gGmbH, Groninger Straße 25, 13347 Berlin bzw. Dirk Wagner Berlin, Carstennstraße 6, 12205 Berlin

Inhaltsverzeichnis (wird bei Seitenanzahl nicht mitgerechnet)

Einleitung

Aufbau und Einrichtung eines Backup-Servers in einem LAN für Client-Backups und zusätzlich Einrichtung einer externen Backup-Lösung.

IST

Internet-Zugang mit 1 Gbit/s
Router: Betriebssystem: OPNsense
Drei Clients: Betriebssystem: Debian GNU/Linux
Das Backup wird bisher unregelmäßig direkt vom Client durchgeführt.
Kein Backup-Server im LAN vorhanden.
Das Datenvolumen der zu sichernden Daten beträgt bisher ca. 1 TB, soll aber sukzessive wachsen.

SOLL

Ein zweistufiges Backup-System soll eingerichtet werden.
Ein lokaler Server soll eingerichtet werden, auf dem die Daten der Clients im LAN gesichert werden.
Zusätzlich soll ein externer Backup-Server angemietet werden, auf dem die Dateien des lokalen Servers verschlüsselt übertragen und in Archiven gesichert werden.
Bestandteil der Lösung soll ein automatisierter Backup-Turnus sein.
Die Hardware für den lokalen Backup-Server soll neu angeschafft werden.

Startphase

Projektplanung

Angebote

Entscheidungstabelle

Entscheidungstabelle	Regeln
R1	R2	R3	R4	R5	R6	R7	R8
Bedingung	ggggggggg	hhhhhhhh	iiiiiiiiii

Durchführungsphase

Verbindung per ssh: interner Backup-Server zu externem Backup-Server

Neues SSH-Schlüsselpaar generieren

# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3ZeuQsMoEyjbiFkgf+GsWabX7dugttaCoM1fZTySTao root@linsrv01
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|o   .            |
|.o o o  .        |
|  + B .* . .   . |
| + % .+oSo. . o  |
|o B o.++o.+  o   |
| + oE..=.. .  .  |
|. o ..+.oo.  .   |
|   ..ooo.....    |
+----[SHA256]-----+

Wichtig: Damit das Einloggen später automatisch, d.h. hier ohne Passphrasenabfrage, funktioniert, einfach bei den Punkten

-Enter passphrase (empty for no passphrase):

-Enter same passphrase again:

nichts eingeben.

Das macht den Private-Key etwas unsicherer, ist aber in der Abwägung Praktikabilität zu Sicherheit zu verkraften.

authorized_keys-Datei erstellen

# cat /root/.ssh/id_rsa.pub >> /root/.ssh/storagebox_authorized_keys

authorized_keys-Datei hochladen

# echo -e "mkdir .ssh \n chmod 700 .ssh \n put /root/.ssh/storagebox_authorized_keys .ssh/authorized_keys \n chmod 600 .ssh/authorized_keys" | sftp -P23 user@domain
user@domain's password: 
Connected to user@domain.
sftp> mkdir .ssh 
sftp>  chmod 700 .ssh 
Changing mode on /home/.ssh
sftp>  put /root/.ssh/storagebox_authorized_keys /home/.ssh/authorized_keys 
Uploading /root/.ssh/storagebox_authorized_keys to /home/.ssh/authorized_keys
/root/.ssh/storagebox_authorized_keys  100%  395    13.5KB/s   00:00    
sftp>  chmod 600 /home/.ssh/authorized_keys
Changing mode on /home/.ssh/authorized_keys

Erneut auf externen Server einloggen. Jetzt ist keine Passworteingabe mehr nötig.

# sftp -P23 user@domain
Connected to user@domain.
sftp>

duply

Profil erstellen

duply <backupname> create

unter /root/.duply/backuptest/ werden die Dateien conf und exclude automatisch erstellt.

Wichtig:
# duply ersatzBU create

Congratulations. You just created the profile 'ersatzBU'.
The initial config file has been created as 
'/root/.duply/ersatzBU/conf'.
You should now adjust this config file to your needs.

IMPORTANT:
  Copy the _whole_ profile folder after the first backup to a safe place.
  It contains everything needed to restore your backups. You will need 
 it if you have to restore the backup from another system (e.g. after a 
 system crash). Keep access to these files restricted as they contain 
 _all_ informations (gpg data, ftp data) to access and modify your backups.

  Repeat this step after _all_ configuration changes. Some configuration options are crucial for restoration.

GPG Key erstellen

gpg --gen-key

oder

gpg --full-generate-key

Konsole

root@linsrv01:~# gpg --full-generate-key
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Bitte wählen Sie, welche Art von Schlüssel Sie möchten:
   (1) RSA und RSA (voreingestellt)
   (2) DSA und Elgamal
   (3) DSA (nur signieren/beglaubigen)
   (4) RSA (nur signieren/beglaubigen)
Ihre Auswahl? 1
RSA-Schlüssel können zwischen 1024 und 4096 Bit lang sein.
Welche Schlüssellänge wünschen Sie? (3072) 4096
Die verlangte Schlüssellänge beträgt 4096 Bit
Bitte wählen Sie, wie lange der Schlüssel gültig bleiben soll.
         0 = Schlüssel verfällt nie
      <n>  = Schlüssel verfällt nach n Tagen
      <n>w = Schlüssel verfällt nach n Wochen
      <n>m = Schlüssel verfällt nach n Monaten
      <n>y = Schlüssel verfällt nach n Jahren
Wie lange bleibt der Schlüssel gültig? (0) 1y
Key verfällt am Do 04 Nov 2021 18:26:30 CET
Ist dies richtig? (j/N) j

GnuPG erstellt eine User-ID, um Ihren Schlüssel identifizierbar zu  machen.

Ihr Name ("Vorname Nachname"): Robert Quies
Email-Adresse: raqju@web.de
Kommentar: Es grünt so grün, wenn Spaniens Blüten blühn.
Sie benutzen den Zeichensatz `utf-8'
Sie haben diese User-ID gewählt:
    "Robert Quies (Es grünt so grün, wenn Spaniens Blüten blühn.)  <raqju@web.de>"

Ändern: (N)ame, (K)ommentar, (E)-Mail oder (F)ertig/(A)bbrechen? F
Wir müssen eine ganze Menge Zufallswerte erzeugen.  Sie können dies
unterstützen, indem Sie z.B. in einem anderen Fenster/Konsole   irgendetwas
tippen, die Maus verwenden oder irgendwelche anderen Programme benutzen.
Wir müssen eine ganze Menge Zufallswerte erzeugen.  Sie können dies
unterstützen, indem Sie z.B. in einem anderen Fenster/Konsole  irgendetwas
tippen, die Maus verwenden oder irgendwelche anderen Programme benutzen.
gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: Schlüssel F47E1B7450082D11 ist als ultimativ vertrauenswürdig gekennzeichnet
gpg: Verzeichnis `/root/.gnupg/openpgp-revocs.d' erzeugt
gpg: Widerrufzertifikat wurde als '/root/.gnupg/openpgp-revocs.d /60E3D3C9ED78CE4A40322BBAF47E1B7450082D11.rev' gespeichert.
Öffentlichen und geheimen Schlüssel erzeugt und signiert.

pub   rsa4096 2020-11-04 [SC] [verfällt: 2021-11-04]
      60E3D3C9ED78CE4A40322BBAF47E1B7450082D11
uid                      Robert Quies (Es grünt so grün, wenn Spaniens  Blüten blühn.) <raqju@web.de>
sub   rsa4096 2020-11-04 [E] [verfällt: 2021-11-04]

Key-ID anzeigen lassen

Private-Key

gpg --list-secret-keys --keyid-format LONG

Konsole

root@linsrv01:~# gpg --list-secret-keys --keyid-format LONG
gpg: "Trust-DB" wird überprüft
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: Tiefe: 0  gültig:   1  signiert:   0  Vertrauen: 0-, 0q, 0n, 0m,  0f, 1u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2021-11-04
/root/.gnupg/pubring.kbx
------------------------
sec   rsa4096/F47E1B7450082D11 2020-11-04 [SC] [verfällt: 2021-11-04]
      60E3D3C9ED78CE4A40322BBAF47E1B7450082D11
uid              [ ultimativ ] Robert Quies (Es grünt so grün, wenn  Spaniens Blüten blühn.) <raqju@web.de>
ssb   rsa4096/B2E20485FF7FC772 2020-11-04 [E] [verfällt: 2021-11-04]

Public-Key

gpg --list-keys --keyid-format LONG

Konsole

root@linsrv01:~# gpg --list-keys --keyid-format LONG
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096/F47E1B7450082D11 2020-11-04 [SC] [verfällt: 2021-11-04]
      60E3D3C9ED78CE4A40322BBAF47E1B7450082D11
uid              [ ultimativ ] Robert Quies (Es grünt so grün, wenn Spaniens Blüten blühn.) <raqju@web.de>
sub   rsa4096/B2E20485FF7FC772 2020-11-04 [E] [verfällt: 2021-11-04]

Konfiguration duply

vi /root/.duply/backuptest/conf

root@linsrv01:~# cat /root/.duply/backuptest/conf
# gpg encryption settings, simple settings:
#  GPG_KEY='disabled' - disables encryption alltogether
#  GPG_KEY='<key1>[,<key2>]'; GPG_PW='pass' - encrypt with keys,
#   sign if secret key of key1 is available use GPG_PW for sign & decrypt
#  Note: you can specify keys via all methods described in gpg manpage,
#        section "How to specify a user ID", escape commas (,) via backslash (\)
#        e.g. 'Mueller, Horst', 'Bernd' -> 'Mueller\, Horst, Bernd'
#        as they are used to separate the entries
#  GPG_PW='passphrase' - symmetric encryption using passphrase only
GPG_KEY='B2E20485FF7FC772 '
GPG_PW='roottutgut'
# gpg encryption settings in detail (extended settings)
#  the above settings translate to the following more specific settings
#  GPG_KEYS_ENC='<keyid1>[,<keyid2>,...]' - list of pubkeys to encrypt to
#  GPG_KEY_SIGN='<keyid1>|disabled' - a secret key for signing
#  GPG_PW='<passphrase>' - needed for signing, decryption and symmetric
#   encryption. If you want to deliver different passphrases for e.g. 
#   several keys or symmetric encryption plus key signing you can use
#   gpg-agent. Simply make sure that GPG_AGENT_INFO is set in environment.
#   also see "A NOTE ON SYMMETRIC ENCRYPTION AND SIGNING" in duplicity manpage 
# notes on en/decryption
#  private key and passphrase will only be needed for decryption or signing.
#  decryption happens on restore and incrementals (compare archdir contents).
#  for security reasons it makes sense to separate the signing key from the
#  encryption keys. https://answers.launchpad.net/duplicity/+question/107216
#GPG_KEYS_ENC='<pubkey1>,<pubkey2>,...'
#GPG_KEY_SIGN='<prvkey>'
# set if signing key passphrase differs from encryption (key) passphrase
# NOTE: available since duplicity 0.6.14, translates to SIGN_PASSPHRASE
#GPG_PW_SIGN='<signpass>'

# uncomment and set a file path or name force duply to use this gpg executable
# available in duplicity 0.7.04 and above (currently unreleased 06/2015)
#GPG='/usr/local/gpg-2.1/bin/gpg'

# gpg options passed from duplicity to gpg process (default=)
# e.g. "--trust-model pgp|classic|direct|always" 
#   or "--compress-algo=bzip2 --bzip2-compress-level=9"
#   or "--personal-cipher-preferences AES256,AES192,AES..."
#   or "--homedir ~/.duply" - keep keyring and gpg settings duply specific
#   or "--pinentry-mode loopback" - needed for GPG 2.1+ _and_
#      also enable allow-loopback-pinentry in your .gnupg/gpg-agent.conf
GPG_OPTS='--compress-algo=bzip2 --bzip2-compress-level=9 --personal- cipher-preferences AES256

# disable preliminary tests with the following setting
#GPG_TEST='disabled'

# backend, credentials & location of the backup target (URL-Format)
# generic syntax is
#   scheme://[user[:password]@]host[:port]/[/]path
# eg.
#   sftp://bob:secret@backupserver.com//home/bob/dupbkp
# for details and available backends see duplicity manpage, section URL Format
#   http://duplicity.nongnu.org/duplicity.1.html#sect7
# BE AWARE:
#   some backends (cloudfiles, S3 etc.) need additional env vars to be set to
#   work properly, read after the TARGET definition for more details.
# ATTENTION:
#   characters other than A-Za-z0-9.-_.~ in the URL have to be
#   replaced by their url encoded pendants, see
#     http://en.wikipedia.org/wiki/Url_encoding
#   if you define the credentials as TARGET_USER, TARGET_PASS below duply
#   will try to url_encode them for you if the need arises.
TARGET='file:///home/user/zielbackup'
# optionally the username/password can be defined as extra variables
# setting them here _and_ in TARGET results in an error
# ATTENTION:
#   there are backends that do not support the user/pass auth scheme.
#   prominent examples are S3, Azure, Cloudfiles. when in doubt consult the
#   duplicity manpage. usually there is a NOTE section explaining if and which
#   env vars should be set.
#TARGET_USER='_backend_username_'
#TARGET_PASS='_backend_password_'
# eg. for cloud files backend it might look like this (uncomment for use!)
#export CLOUDFILES_USERNAME='someuser'
#export CLOUDFILES_APIKEY='somekey'
#export CLOUDFILES_AUTHURL ='someurl'
# the following is an incomplete list (<backend>: comma separated env vars list)
# Azure: AZURE_ACCOUNT_NAME, AZURE_ACCOUNT_KEY
# Cloudfiles: CLOUDFILES_USERNAME, CLOUDFILES_APIKEY, CLOUDFILES_AUTHURL
# Google Cloud Storage: GS_ACCESS_KEY_ID, GS_SECRET_ACCESS_KEY
# Pydrive: GOOGLE_DRIVE_ACCOUNT_KEY, GOOGLE_DRIVE_SETTINGS
# S3: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
# Swift: SWIFT_USERNAME, SWIFT_PASSWORD, SWIFT_AUTHURL,
#        SWIFT_TENANTNAME OR SWIFT_PREAUTHURL, SWIFT_PREAUTHTOKEN

# base directory to backup
SOURCE='/'

# a command that runs duplicity e.g. 
#  shape bandwidth use via trickle
#  "trickle -s -u 640 -d 5120" # 5Mb up, 40Mb down"
#DUPL_PRECMD=""

# override the used python interpreter, defaults to
#  - parsed result of duplicity's shebang or 'python2'
#   e.g. "python2" or "/usr/bin/python2.7"
#PYTHON="python"

# exclude folders containing exclusion file (since duplicity 0.5.14)
# Uncomment the following two lines to enable this setting.
#FILENAME='.duplicity-ignore'
#DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"

# Time frame for old backups to keep, Used for the "purge" command.  
# see duplicity man page, chapter TIME_FORMATS)
MAX_AGE=1M

# Number of full backups to keep. Used for the "purgeFull" command. 
# See duplicity man page, action "remove-all-but-n-full".
MAX_FULL_BACKUPS=1

# Number of full backups for which incrementals will be kept for.
# Used for the "purgeIncr" command.
# See duplicity man page, action "remove-all-inc-of-but-n-full".
#MAX_FULLS_WITH_INCRS=1

# activates duplicity --full-if-older-than option (since duplicity v0.4.4.RC3) 
# forces a full backup if last full backup reaches a specified age, for the 
# format of MAX_FULLBKP_AGE see duplicity man page, chapter TIME_FORMATS
# Uncomment the following two lines to enable this setting.
#MAX_FULLBKP_AGE=1M
#DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE " 

# sets duplicity --volsize option (available since v0.4.3.RC7)
# set the size of backup chunks to VOLSIZE MB instead of the default 25MB.
# VOLSIZE must be number of MB's to set the volume size to.
# Uncomment the following two lines to enable this setting. 
VOLSIZE=100
DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "

# verbosity of output (error 0, warning 1-2, notice 3-4, info 5-8, debug 9)
# default is 4, if not set
VERBOSITY=8

# temporary file space. at least the size of the biggest file in backup
# for a successful restoration process. (default is '/tmp', if not set)
#TEMP_DIR=/tmp

# Modifies archive-dir option (since 0.6.0) Defines a folder that holds 
# unencrypted meta data of the backup, enabling new incrementals without the 
# need to decrypt backend metadata first. If empty or deleted somehow, the 
# private key and it's password are needed.
# NOTE: This is confidential data. Put it somewhere safe. It can grow  quite 
#       big over time so you might want to put it not in the home dir.
# default '~/.cache/duplicity/duply_<profile>/'
# if set  '${ARCH_DIR}/<profile>'
#ARCH_DIR=/some/space/safe/.duply-cache

# DEPRECATED setting
# sets duplicity --time-separator option (since v0.4.4.RC2) to allow users 
# to change the time separator from ':' to another character that will work 
# on their system.  HINT: For Windows SMB shares, use --time-separator='_'.
# NOTE: '-' is not valid as it conflicts with date separator.
# ATTENTION: only use this with duplicity < 0.5.10, since then default file 
#            naming is compatible and this option is pending depreciation 
#DUPL_PARAMS="$DUPL_PARAMS --time-separator _ "

# DEPRECATED setting
# activates duplicity --short-filenames option, when uploading to a file
# system that can't have filenames longer than 30 characters (e.g. Mac OS 8)
# or have problems with ':' as part of the filename (e.g. Microsoft Windows)
# ATTENTION: only use this with duplicity < 0.5.10, later versions default file 
#            naming is compatible and this option is pending depreciation
#DUPL_PARAMS="$DUPL_PARAMS --short-filenames "

# more duplicity command line options can be added in the following way
# don't forget to leave a separating space char at the end
#DUPL_PARAMS="$DUPL_PARAMS --put_your_options_here "

Konfiguration exclude

root@linsrv01:~# cat /root/.duply/backuptest/exclude 
# although called exclude, this file is actually a globbing file list
# duplicity accepts some globbing patterns, even including ones here
# here is an example, this incl. only 'dir/bar' except it's subfolder 'foo'
# - dir/bar/foo
# + dir/bar
# - **
# for more details see duplicity manpage, section File Selection
# http://duplicity.nongnu.org/duplicity.1.html#sect9

+ /etc
- **

Fehlermeldungen

Fehler 1 - Passphrase kann nicht abgefragt werden

Befehl

# duply /root/.duply/Name_Backup_Profil full

Meldung

[GNUPG:] PINENTRY_LAUNCHED 23758 curses 1.1.0 - linux -
gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control) für das Gerät
[GNUPG:] BEGIN_ENCRYPTION 2 9
[GNUPG:] FAILURE sign-encrypt 83918950
gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL (I/O-Control) für das Gerät

Lösung

echo use-agent >> ~/.gnupg/gpg.conf
echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
echo allow-loopback-pinentry >> ~/.gnupg/gpg-agent.conf

Hintergrund

Es kommt zu dieser Fehlermeldung, weil gpg die Passphrase nicht automatisch abfragen konnte.
Die erledigt der gpg-agent, der wiederum pinentry-curses zur sicheren Übertragung der Passphrase vewendet.
In der gpg.conf muss angegeben werden, dass der gpg-agent verwendet werden soll (use-agent).
Und in welchem Modus dieser verwendet werden soll (pinentry-mode loopback).
In der gpg-agent.conf muss dem gpg-agent erlaubt werden den loop-back-pinentry durchzuführen (allow-loopback-pinentry).

Fehler 2 - Fehlerhafte Option in gpg.conf eingetragen

Befehl

# duply /root/.duply/ersatzBU/ full                          
Start duply v2.1, time is 2020-11-10 11:55:58.

Ausgabe

INFO:
 
duplicity version check failed (please report, this is a bug)
the command
 duplicity --version 2>&1
resulted in
 gpg: /root/.gnupg/gpg.conf:2: invalid option
duplicity 0.7.18.2


Using profile '/root/.duply/ersatzBU'.
Using installed duplicity version INVALID, python 2.7.16 (/usr/bin/python2), gpg 2.2.12 (Home: /root/.gnupg), awk 'GNU Awk 4.2.1, API: 2.0 (GNU MPFR 4.0.2, GNU MP 6.1.2)', grep 'grep (GNU grep) 3.3', bash '5.0.3(1)-release (x86_64-pc-linux-gnu)'.
Encryption public key '1A955E6287B8E312' not found.

WARNING:

No keyfile for '1A955E6287B8E312' found in profile '/root/.duply/ersatzBU'.

Autoset trust of key '1A955E6287B8E312' to ultimate (FAILED)
For duply to work you have to set the trust level 
with the command "trust" to "ultimate" (5) now.
Exit the edit mode of gpg with "quit".
Running gpg to manually edit key '1A955E6287B8E312' (FAILED)
 
Sorry. A fatal ERROR occured:

Public gpg key '1A955E6287B8E312' cannot be found.
 
Hints:
    
  Doublecheck if the above key is listed by 'gpg --list-keys' or available 
 as gpg key file 'gpgkey.1A955E6287B8E312.asc' in the profile folder.
  If not you can put it there and duply will autoimport it on the next run.
  Alternatively import it manually as the user you plan to run duply with.

  Maybe you have not created a gpg key yet (e.g. gpg --gen-key)?
  Don't forget the used _password_ as you will need it.
  When done enter the 8 digit id & the password in the profile conf file.

  The key id can be found doing a 'gpg --list-keys'. In the  example output 
 below the key id would be FFFFFFFF for the public key.

  pub   1024D/FFFFFFFF 2007-12-17
  uid                  duplicity
  sub   2048g/899FE27F 2007-12-17

Lösung

War mein Fehler. 
Hatte echo "pintentry-mode loopback" >> ~/.gnupg/gpg.conf eingetragen 
und nicht echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf.

Fehler 3 - duply befindet privaten ssh-key (RSA) für nicht valide

Befehl

# duply /root/.duply/Name_Backup_Profil full

Meldung

# duply /root/.duply/ersatzBU/ full  
Start duply v2.1, time is 2020-11-10 12:17:27.
Using profile '/root/.duply/ersatzBU'.
Using installed duplicity version 0.7.18.2, python 2.7.16 (/usr/bin/python2), gpg 2.2.12 (Home: /root/.gnupg), awk 'GNU Awk 4.2.1, API: 2.0 (GNU MPFR 4.0.2, GNU MP 6.1.2)', grep 'grep (GNU grep) 3.3', bash '5.0.3(1)-release (x86_64-pc-linux-gnu)'.
Autoset found secret key of first GPG_KEY entry '1A955E6287B8E312' for signing.
Checking TEMP_DIR '/tmp' is a folder and writable (OK)
Test - Encrypt to '1A955E6287B8E312' & Sign with '1A955E6287B8E312' (OK)
Test - Decrypt (OK)
Test - Compare (OK)
Cleanup - Delete '/tmp/duply.3187.1605007047_*'(OK)
Backup PUB key '1A955E6287B8E312' to profile. (OK)
Write file 'gpgkey.1A955E6287B8E312.pub.asc' (OK)
Backup SEC key '1A955E6287B8E312' to profile. (OK)
Write file 'gpgkey.1A955E6287B8E312.sec.asc' (OK)

INFO:

duply exported new keys to your profile.
You should backup your changed profile folder now and store it in a safe place.


--- Start running command FULL at 12:17:30.512 ---
Using archive dir: /root/.cache/duplicity/duply_ersatzBU
Using backup name: duply_ersatzBU
Import of duplicity.backends.acdclibackend Succeeded
Import of duplicity.backends.azurebackend Succeeded
Import of duplicity.backends.b2backend Succeeded
Import of duplicity.backends.botobackend Succeeded
Import of duplicity.backends.cfbackend Succeeded
Import of duplicity.backends.dpbxbackend Failed: No module named dropbox
Import of duplicity.backends.gdocsbackend Succeeded
Import of duplicity.backends.giobackend Succeeded
Import of duplicity.backends.hsibackend Succeeded
Import of duplicity.backends.hubicbackend Succeeded
Import of duplicity.backends.imapbackend Succeeded
Import of duplicity.backends.lftpbackend Succeeded
Import of duplicity.backends.localbackend Succeeded
Import of duplicity.backends.mediafirebackend Succeeded
Import of duplicity.backends.megabackend Succeeded
Import of duplicity.backends.multibackend Succeeded
Import of duplicity.backends.ncftpbackend Succeeded
Import of duplicity.backends.onedrivebackend Succeeded
Import of duplicity.backends.par2backend Succeeded
Import of duplicity.backends.pydrivebackend Succeeded
Import of duplicity.backends.rsyncbackend Succeeded
Import of duplicity.backends.ssh_paramiko_backend Succeeded
Import of duplicity.backends.ssh_pexpect_backend Succeeded
Import of duplicity.backends.swiftbackend Succeeded
Import of duplicity.backends.sxbackend Succeeded
Import of duplicity.backends.tahoebackend Succeeded
Import of duplicity.backends.webdavbackend Succeeded
/usr/lib/python2.7/dist-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
 self.ecdsa_curve.curve_class(), pointinfo
ssh: Connected (version 2.0, client OpenSSH_7.5)
Using temporary directory /tmp/duplicity-IXHreI-tempdir
Backend error detail: Traceback (innermost last):
  File "/usr/bin/duplicity", line 1567, in <module>
    with_tempdir(main)
  File "/usr/bin/duplicity", line 1553, in with_tempdir
    fn()
  File "/usr/bin/duplicity", line 1392, in main
    action = commandline.ProcessCommandLine(sys.argv[1:])
  File "/usr/lib/python2.7/dist-packages/duplicity/commandline.py", line 1135, in ProcessCommandLine
   backup, local_pathname = set_backend(args[0], args[1])
  File "/usr/lib/python2.7/dist-packages/duplicity/commandline.py", line 1010, in set_backend
   globals.backend = backend.get_backend(bend)
  File "/usr/lib/python2.7/dist-packages/duplicity/backend.py", line 223, in get_backend
   obj = get_backend_object(url_string)
  File "/usr/lib/python2.7/dist-packages/duplicity/backend.py", line 209, in get_backend_object
   return factory(pu)
  File "/usr/lib/python2.7/dist-packages/duplicity/backends/ssh_paramiko_backend.py", line 235, in __init__
    self.config['port'], e))
 BackendException: ssh connection to u153662-sub1@u153662.your-storagebox.de:23 failed: not a valid RSA private key file

BackendException: ssh connection to u153662-sub1@u153662.your-storagebox.de:23 failed: not a valid RSA private key file
12:17:31.728 Task 'FULL' failed with exit code '23'.
--- Finished state FAILED 'code 23' at 12:17:31.728 - Runtime 00:00:01.216 ---

Lösung

Benötigt duplicity den ssh-key im PEM-Format, wenn duplicity sich via ssh anmelden soll. - Verifiziert durch Duplizierung des Fehlers.

# ssh-keygen -p -f /root/.ssh/id_rsa -m pem -P "" -N ""

Änderung des Formats des ssh-Keys von OPENSSH zu PEM (Privacy-Enhanced Mail)

ssh-keygen

Option	Beschreibung
-p	Fordert die Änderung der Passphrase einer privaten Schlüsseldatei zu ändern, anstatt einen neuen privaten Schlüssel zu erstellen. Das Programm fordert Sie auf, die Datei mit dem privaten Schlüssel, die alte Passphrase und zweimal die neue Passphrase einzugeben.
-f	Dateiname. Gibt den Dateinamen der Schlüsseldatei an. Hier der Pfad /root/.ssh/id_rsa
-m	Geben Sie ein Schlüsselformat für die Konvertierungsoptionen -i (Import) oder -e (Export) an. Die unterstützten Schlüsselformate sind: "RFC4716" (öffentlicher oder privater RFC 4716 / SSH2-Schlüssel), "PKCS8" (öffentlicher PEM PKCS8-Schlüssel) oder "PEM" (öffentlicher PEM-Schlüssel). Das Standardkonvertierungsformat ist "RFC4716". Wenn Sie beim Generieren oder Aktualisieren eines unterstützten privaten Schlüsseltyps das Format "PEM" festlegen, wird der Schlüssel im alten privaten PEM-Schlüsselformat gespeichert. Hier soll der ssh-key in das PEM-Format konvertiert werden also: -m PEM. in engl.: Specify a key format for the -i (import) or -e (export) conversion options. The supported key formats are: "RFC4716" (RFC 4716/SSH2 public or private key), "PKCS8" (PEM PKCS8 public key) or "PEM" (PEM public key). The default conversion format is "RFC4716". Setting a format of "PEM" when generating or updating a supported private key type will cause the key to be stored in the legacy PEM private key format.
-P	passphrase Stellt die (alte) Passphrase bereit.
-N	new_passphrase Stellt die neue Passphrase bereit.
"Passphrase"	Da hier weder im alten noch im neuen Format für den ssh-key eine Passphrase verwendet wurde bzw. werden soll, wird zwischen den beiden " nichts eingetragen: ""

Danach klappt es:

# duply /root/.duply/ersatzBU/ full                    
Start duply v2.1, time is 2020-11-10 12:39:16.
Using profile '/root/.duply/ersatzBU'.
Using installed duplicity version 0.7.18.2, python 2.7.16 (/usr/bin/python2), gpg 2.2.12 (Home: /root/.gnupg), awk 'GNU Awk 4.2.1, API: 2.0 (GNU MPFR 4.0.2, GNU MP 6.1.2)', grep 'grep (GNU grep) 3.3', bash '5.0.3(1)-release (x86_64-pc-linux-gnu)'.
Autoset found secret key of first GPG_KEY entry '1A955E6287B8E312' for signing.
Checking TEMP_DIR '/tmp' is a folder and writable (OK)
Test - Encrypt to '1A955E6287B8E312' & Sign with '1A955E6287B8E312' (OK)
Test - Decrypt (OK)
Test - Compare (OK)
Cleanup - Delete '/tmp/duply.3711.1605008357_*'(OK)

--- Start running command FULL at 12:39:18.553 ---
Using archive dir: /root/.cache/duplicity/duply_ersatzBU
Using backup name: duply_ersatzBU
Import of duplicity.backends.acdclibackend Succeeded
Import of duplicity.backends.azurebackend Succeeded
Import of duplicity.backends.b2backend Succeeded
Import of duplicity.backends.botobackend Succeeded
Import of duplicity.backends.cfbackend Succeeded
Import of duplicity.backends.dpbxbackend Failed: No module named dropbox
Import of duplicity.backends.gdocsbackend Succeeded
Import of duplicity.backends.giobackend Succeeded
Import of duplicity.backends.hsibackend Succeeded
Import of duplicity.backends.hubicbackend Succeeded
Import of duplicity.backends.imapbackend Succeeded
Import of duplicity.backends.lftpbackend Succeeded
Import of duplicity.backends.localbackend Succeeded
Import of duplicity.backends.mediafirebackend Succeeded
Import of duplicity.backends.megabackend Succeeded
Import of duplicity.backends.multibackend Succeeded
Import of duplicity.backends.ncftpbackend Succeeded
Import of duplicity.backends.onedrivebackend Succeeded
Import of duplicity.backends.par2backend Succeeded
Import of duplicity.backends.pydrivebackend Succeeded
Import of duplicity.backends.rsyncbackend Succeeded
Import of duplicity.backends.ssh_paramiko_backend Succeeded
Import of duplicity.backends.ssh_pexpect_backend Succeeded
Import of duplicity.backends.swiftbackend Succeeded
Import of duplicity.backends.sxbackend Succeeded
Import of duplicity.backends.tahoebackend Succeeded
Import of duplicity.backends.webdavbackend Succeeded
/usr/lib/python2.7/dist-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo
ssh: Connected (version 2.0, client OpenSSH_7.5)
ssh: Authentication (publickey) successful!
ssh: [chan 0] Opened sftp connection (server version 3)
Reading globbing filelist /root/.duply/ersatzBU/exclude
Main action: full
================================================================================
duplicity 0.7.18.2 (October 17, 2018)
Args: /usr/bin/duplicity full --name duply_ersatzBU --encrypt-key 1A955E6287B8E312 --sign-key 1A955E6287B8E312 --verbosity 8 --gpg-options --compress-algo=bzip2 --bzip2-compress-level=9 --volsize 100 --exclude-filelist /root/.duply/ersatzBU/exclude / sftp://u153662-sub1@u153662.your-storagebox.de:23/backup
Linux debian1 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 
/usr/bin/python2 2.7.16 (default, Oct 10 2019, 22:02:15) 
[GCC 8.3.0]
================================================================================
Using temporary directory /tmp/duplicity-isr25J-tempdir
Temp has 606838784 available, backup will use approx 136314880.
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: none
Collection Status
-----------------
Connecting with backend: BackendWrapper
Archive dir: /root/.cache/duplicity/duply_ersatzBU

Found 0 secondary backup chains.
No backup chains with active signatures found
No orphaned or incomplete backup sets found.
Reuse configured PASSPHRASE as SIGN_PASSPHRASE
Using temporary directory /root/.cache/duplicity/duply_ersatzBU/duplicity-CWEaS8-tempdir
Using temporary directory /root/.cache/duplicity/duply_ersatzBU/duplicity-6dFeup-tempdir
AsyncScheduler: instantiating at concurrency 0
A .
A var
A var/cache
A var/cache/rsnapshot
AsyncScheduler: running task synchronously (asynchronicity disabled)
Writing duplicity-full.20201110T113919Z.vol1.difftar.gpg
Deleting /tmp/duplicity-isr25J-tempdir/mktemp-iyc8sL-2
AsyncScheduler: task completed successfully
Processed volume 1
Writing duplicity-full-signatures.20201110T113919Z.sigtar.gpg
Deleting /root/.cache/duplicity/duply_ersatzBU/duplicity-full-signatures.20201110T113919Z.sigtar.gpg
Writing duplicity-full.20201110T113919Z.manifest.gpg
Deleting /root/.cache/duplicity/duply_ersatzBU/duplicity-full.20201110T113919Z.manifest.gpg
--------------[ Backup Statistics ]--------------
StartTime 1605008359.92 (Tue Nov 10 12:39:19 2020)
EndTime 1605008359.97 (Tue Nov 10 12:39:19 2020)
ElapsedTime 0.04 (0.04 seconds)
SourceFiles 4
SourceFileSize 16384 (16.0 KB)
NewFiles 4
NewFileSize 16384 (16.0 KB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 4
RawDeltaSize 0 (0 bytes)
TotalDestinationSizeChange 1582 (1.54 KB)
Errors 0
-------------------------------------------------

--- Finished state OK at 12:39:21.932 - Runtime 00:00:03.379 ---

duply auf asynchronen Modus umstellen

Arbeitet Backupvorgang effizienter ab.

AsyncScheduler: running task synchronously (asynchronicity disabled)

bei duplicity Option:

--asynchronous-upload

Diese Option in der .duply/conf eintragen unter:

# more duplicity command line options can be added in the following way
# don't forget to leave a seperating space char at the end
DUPL_PARAMS="$DUPL_PARAMS --asynchronous-upload "

Danach

# duply /root/.duply/ersatzBU/ full                
Start duply v2.1, time is 2020-11-10 13:27:40.
Using profile '/root/.duply/ersatzBU'.
Using installed duplicity version 0.7.18.2, python 2.7.16 (/usr/bin/python2), gpg 2.2.12 (Home: /root/.gnupg), awk 'GNU Awk 4.2.1, API: 2.0 (GNU MPFR 4.0.2, GNU MP 6.1.2)', grep 'grep (GNU grep) 3.3', bash '5.0.3(1)-release (x86_64-pc-linux-gnu)'.
Autoset found secret key of first GPG_KEY entry '1A955E6287B8E312' for signing.
Checking TEMP_DIR '/tmp' is a folder and writable (OK)
Test - Encrypt to '1A955E6287B8E312' & Sign with '1A955E6287B8E312' (OK)
Test - Decrypt (OK)
Test - Compare (OK)
Cleanup - Delete '/tmp/duply.4565.1605011260_*'(OK)

--- Start running command FULL at 13:27:41.716 ---
Using archive dir: /root/.cache/duplicity/duply_ersatzBU
Using backup name: duply_ersatzBU
Import of duplicity.backends.acdclibackend Succeeded
Import of duplicity.backends.azurebackend Succeeded
Import of duplicity.backends.b2backend Succeeded
Import of duplicity.backends.botobackend Succeeded
Import of duplicity.backends.cfbackend Succeeded
Import of duplicity.backends.dpbxbackend Failed: No module named dropbox
Import of duplicity.backends.gdocsbackend Succeeded
Import of duplicity.backends.giobackend Succeeded
Import of duplicity.backends.hsibackend Succeeded
Import of duplicity.backends.hubicbackend Succeeded
Import of duplicity.backends.imapbackend Succeeded
Import of duplicity.backends.lftpbackend Succeeded
Import of duplicity.backends.localbackend Succeeded
Import of duplicity.backends.mediafirebackend Succeeded
Import of duplicity.backends.megabackend Succeeded
Import of duplicity.backends.multibackend Succeeded
Import of duplicity.backends.ncftpbackend Succeeded
Import of duplicity.backends.onedrivebackend Succeeded
Import of duplicity.backends.par2backend Succeeded
Import of duplicity.backends.pydrivebackend Succeeded
Import of duplicity.backends.rsyncbackend Succeeded
Import of duplicity.backends.ssh_paramiko_backend Succeeded
Import of duplicity.backends.ssh_pexpect_backend Succeeded
Import of duplicity.backends.swiftbackend Succeeded
Import of duplicity.backends.sxbackend Succeeded
Import of duplicity.backends.tahoebackend Succeeded
Import of duplicity.backends.webdavbackend Succeeded
/usr/lib/python2.7/dist-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo
ssh: Connected (version 2.0, client OpenSSH_7.5)
ssh: Authentication (publickey) successful!
ssh: [chan 0] Opened sftp connection (server version 3)
Reading globbing filelist /root/.duply/ersatzBU/exclude
Main action: full
================================================================================
duplicity 0.7.18.2 (October 17, 2018)
Args: /usr/bin/duplicity full --name duply_ersatzBU --encrypt-key 1A955E6287B8E312 --sign-key 1A955E6287B8E312 --verbosity 8 --gpg-options --compress-algo=bzip2 --bzip2-compress-level=9 --volsize 100 --asynchronous-upload --exclude-filelist /root/.duply/ersatzBU/exclude / sftp://u153662-sub1@u153662.your-storagebox.de:23/backup
Linux debian1 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 
/usr/bin/python2 2.7.16 (default, Oct 10 2019, 22:02:15) 
[GCC 8.3.0]
================================================================================
Using temporary directory /tmp/duplicity-lFN02I-tempdir
Temp has 606838784 available, backup will use approx 241172480.
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Tue Nov 10 12:39:19 2020
Collection Status
-----------------
Connecting with backend: BackendWrapper
Archive dir: /root/.cache/duplicity/duply_ersatzBU

Found 0 secondary backup chains.

Found primary backup chain with matching signature chain:
-------------------------
Chain start time: Tue Nov 10 12:39:19 2020
Chain end time: Tue Nov 10 12:39:19 2020
Number of contained backup sets: 1
Total number of contained volumes: 1
 Type of backup set:                            Time:      Num volumes:
                Full         Tue Nov 10 12:39:19 2020                 1
-------------------------
No orphaned or incomplete backup sets found.
Reuse configured PASSPHRASE as SIGN_PASSPHRASE
Using temporary directory /root/.cache/duplicity/duply_ersatzBU/duplicity-h7ERXb-tempdir
Using temporary directory /root/.cache/duplicity/duply_ersatzBU/duplicity-sHK2KZ-tempdir
AsyncScheduler: instantiating at concurrency 1
A .
A var
A var/cache
A var/cache/rsnapshot
AsyncScheduler: scheduling task for asynchronous execution
Processed volume 1
Writing duplicity-full.20201110T122742Z.vol1.difftar.gpg
Deleting /tmp/duplicity-lFN02I-tempdir/mktemp-6T80j7-2
AsyncScheduler: task execution done (success: True)
Writing duplicity-full-signatures.20201110T122742Z.sigtar.gpg
Deleting /root/.cache/duplicity/duply_ersatzBU/duplicity-full-signatures.20201110T122742Z.sigtar.gpg
Writing duplicity-full.20201110T122742Z.manifest.gpg
Deleting /root/.cache/duplicity/duply_ersatzBU/duplicity-full.20201110T122742Z.manifest.gpg
--------------[ Backup Statistics ]--------------
StartTime 1605011263.12 (Tue Nov 10 13:27:43 2020)
EndTime 1605011263.14 (Tue Nov 10 13:27:43 2020)
ElapsedTime 0.02 (0.02 seconds)
SourceFiles 4
SourceFileSize 16384 (16.0 KB)
NewFiles 4
NewFileSize 16384 (16.0 KB)
DeletedFiles 0
ChangedFiles 0
ChangedFileSize 0 (0 bytes)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 4
RawDeltaSize 0 (0 bytes)
TotalDestinationSizeChange 1593 (1.56 KB)
Errors 0
-------------------------------------------------

--- Finished state OK at 13:27:45.045 - Runtime 00:00:03.329 ---

Versuch Algorithmus pigz (parallel implementation of gzip) zu verwenden

Nutzt alle CPU-Kerne zum Komprimieren der Archive.

Resultat pigz wird weder von gpg noch gpg2 unterstützt.

# gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Unterstützte Verfahren:
Öff. Schlüssel: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
           CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2

# gpg2 --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Unterstützte Verfahren:
Öff. Schlüssel: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
           CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2

GPG

Abschlussphase

Fazit

Reflexion
- Abweichungen SOLL zu IST
- Verbesserungpotential aufzeigen
- Ergebnisse darstellen

Quellen

Anhang (max. 10 Seiten)

Angebot interner Backup-Server
Angebot externer Backup-Server
Kundenauftrag
Raumplan
Netzwerkplan
Skizzen
Schaltplan?
Config-Datei rsnapshot
Config-Datei duply
Ablauf GPG: Schlüsselerstellung
Fotos
Messprotokolle

Quellen allgemein zur Dokumentation