duplicity backup - Hubic

This is one post in a series of tutorials on Duplicity. If you are just getting started with duplicity, I recommend to first read the first and second part to get a basic overview of duplicity and get GPG keys setup properly (this will not be covered in this post). You should also visit the duplicity overview post, which contains a list of all posts in this series. The basic configuration of this post will be used in this post to configure duplicity-backup.sh.

Hubic

First of all, we need an account at hubic.com (referral link). More than 25 GB will cost you, however for this tutorial the free account will suffice.

Using duplicity with the hubic/Rackspace backend requires the Rackspace CloudFiles Pyrax API library as noted in the duplicity man page. We can install this by running pip install pyrax.

First, we need to login to hubic and go to My account, and then to Developers. We add a new application (Please note that the application-name must be unique - so best use some random characters). Also, we need a redirect url, for which we will use http://localhost/. hubic1

We will need the Client ID as well as the Secret Client key from the Application we just created. and insert that in the file ~/.hubic_credentials. The file should look as below - substitute all variables right of the = sign with the values in your Developers console.

[hubic] 
email = [email protected] 
password = VerySecureRandomOnlinePassword11 
client_id = api_hubic_mVZdgTqLb3ty3BAJZn5Nyk8zBGrN4KVX 
client_secret = QJOvuZe0gHg13ilM3DpCCaNdIlnRUTDa01pbAH5jCfx5BpkpZiu4IAnsuuAnn3Mr 
redirect_uri = http://localhost/

(Don’t bother to try the above keys - by the time this post goes live I already deleted the test application).

As the API requires us to add the password in clear text, we make sure the file is only readable to the user himself by issuing a chmod 600 ~/.hubic_credentials.

Running a first manual test: duplicity --encrypt-key 3E988E6866B39EE1 --sign-key E24E7891636093DB --ssh-askpass /tmp/backupTest/ "cf+hubic://duplicitybackup1"

This will result in the folder /tmp/backupTest/ to be synchronized to hubic - in the backup-folder duplicitybackup1. In the web-console of hubic, we go to “my backups” - where we can see the below backup-files. hubic2

As mentioned above, up to 25 GB is free - after that additional storage is available for paying customers.

duplicity-backup.sh

Implementing this into the duplicity-backup.sh script is as easy as setting the “DEST=” variable to “cf+hubic://duplicityBackup1”.

DEST="cf+hubic://duplicityBackup1"

The rest of the configuration remains identical to the configuration used in the duplicity-backup.sh post.

We now run the duplicity-backup.sh script.

./duplicity-backup.sh --config duplicity-backup.conf --full

If you still have the cronjob scheduled and used the same configuration file, the backup will automatically go to hubic instead of the sftp server or a different backend.

Drawbacks

Hubic - the service

Hubic is pretty slow - uploading the simple test-folder took quite some time (they seem to implement fairly aggressive rate-limiting. Also, bigger files may not be allowed in the free version. This is not clearly visible - but the next level lists “No maximum file size.” as an advantage of the Paid version, suggesting that the free version has some limit applied.

Security

As the password to hubic needs to be saved in clear text in a configuration file (on a server, eventually), it is important to use a unique password, so an attacker would eventually gain access to only this account, and none other. Also, if duplicity is running on a server (which is a common usecase), you should consider using a dedicated account for backups as well as backing up to another Service as well. Should the server be breached, one needs to assume the hubic-account also compromised - so an attacker would be able to log in to hubic and delete the backups - essentially making recovery impossible.

Therefore, I cannot fully recommend using hubic as a backup solution for Servers. Backing up Pictures from your own PC (in addition to other backups!!!) will probably be fine as the data is encrypted with your GPG key.

FULL DISCLOSURE If you register with hubic using the link above, I will get free space added through the referral program. If you want to avoid this, please use this link or type in https://hubic.com into your browser manually.


comments powered by Disqus