DUPLICATI: Secure cloud backups
The ever security-conscious Nick Peers reveals how to use your cloud back-up storage as a water-tight back-up location for your key data.
Nick Peers reveals how to use your cloud backup storage as a watertight back-up location for your key data by wrapping it all up in encryption.
You can’t have too many backups, and that at least one of those backups should ideally be stored offsite – which typically means in the cloud. But can you trust the cloud with your sensitive data? Can you be sure your cloud provider is telling the truth when it says your data is fully secure and private? What happens if its servers are hacked? Who controls the encryption keys that stand between you and your data being opened to government agencies?
The solution is to employ a secondary layer of encryption to your data before uploading it. This layer remains under your control, which means those encryption keys aren’t in anyone’s hands other than your own. You can employ this secondary layer several ways – the box (bottom right) reveals a quick technique for individual files – but another approach is to employ a virtual container inside which your files are stored.
The obvious solution here is Veracrypt’s encrypted file container, but it’s not optimised for remote storage. Instead, try a free tool called Cryptomator (www.cryptomator.org). This is similar to Veracrypt in that you create an encrypted container, or vault, inside which all your sensitive data is copied. The vault resides in your local cloud folder – so works with any cloud provider – and is optimised for remote storage by the fact it’s a regular folder inside which your files and subfolders are encrypted individually. This means adding new files or editing existing ones uses less bandwidth than ones where all changes result in a single large virtual volume being re-synced time and again.
Enter the Cryptomator
Cryptomator can be run either as a standalone Appimage from www.cryptomator.org/downloads or you can add the PPA in Ubuntu 18.04 or later for a build that updates automatically. Just type the following commands into the Terminal:
$ sudo add-apt-repository ppa:sebastian-stenzel/ cryptomator
$ sudo apt-get update
$ sudo apt-get install cryptomator
Once installed, launch Cryptomator from the Launcher and enable updates if asked. From here it’s a simple case of picking a suitable location – inside one of your synced cloud folders obviously, then giving your vault a suitable name (this will become its folder name) before assigning it a strong password that you store securely elsewhere like in your password manager.
After clicking Create Vault, click More Options to tweak various settings, including unlocking the vault automatically on startup. Once done, click Unlock Vault and it can be used like any other folder – for security purposes all files copied or edited are encrypted on your computer before being uploaded to the cloud.
When you’re done, you can leave the drive unlocked until you shut down your computer or – if security is an issue – open the main window and click Lock Vault to close it down (enter your password and click Unlock Vault to bring it back later). You can access your cloudhosted vault from other computers by installing Cryptomator there and choosing ‘Open existing vault’ to access the vault in question. Mobile apps are also available, these cost £8.49 (help support projects–ed) each for Android and IOS. They do, however, enable you to edit files on the go, encrypting them on your mobile before uploading any changes.
Our main gripe with Cryptomator is that its presence can’t be hidden. Its master key is clearly visible inside the folder containing your encrypted data (even the name – masterkey.cryptomator – isn’t subtle). If this file is deleted, your data is made inaccessible, so be sure to keep an independent backup of the key in addition to a regular, unencrypted local backup of the data you’ve stored inside the vault.
Back up to the cloud
Cryptomator works when you want to keep files stored directly in the cloud. Another approach is to use it purely as an off-site backup location. What you need here is a back-up tool that makes it possible to encrypt your backups locally before they’re uploaded – one that’s optimised to work across a range of cloud services and standard internet protocols. That tool is the free and open-source Duplicati (www.duplicati.com).
Duplicati is a block-based backup tool, which means it splits your data into small chunks, which are then encrypted and compressed before being sent to your choice of back-up location: a proprietary cloud provider like Google or Dropbox, a local drive, or server accessible through a range of popular protocols such as FTP or WEBDAV.
Duplicati supports file versioning, so once the initial backup is done, all changes are recorded incrementally to speed up file uploads and minimise storage space. Your files can be protected by a password using standard AES-256 encryption, or you can use an existing Gnu PG key if you prefer.
The program runs as a standalone tool, with access through both a graphical web interface and the command line for those who need it. There are both standalone .deb and .rpm downloads to suit most distros, while owners of Synology NAS drives get a dedicated program. Linuxserver also supplies a Docker image (https://hub.docker.com/r/linuxserver/ duplicati), which is handy if you’re backing up multiple PCS to a single server and would like a single instance of Duplicati to securely back up those backups to the cloud for additional redundancy.
Installation
If you’re installing Duplicati on a single PC, then you’ll need to install Mono before you can install the main client itself – this amounts to around 420MB of drive space. See https://duplicati.readthedocs.io/en/ latest/02-installation for distro-specific commands, but Ubuntu 18.04 users need to issue the following:
$ sudo apt-key adv --keyserver hkp://keyserver. ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF $ echo “deb https://download.mono-project.com/repo/ ubuntu stable-bionic main” | sudo tee /etc/apt/sources. list.d/mono-official-stable.list
$ sudo apt update
$ sudo apt install mono-devel gtk-sharp2
Once this is done, head over to www.duplicati.com/ download and click the ‘Debian/ubuntu’ link to download the installer as a .deb file. Once done, doubleclick the .deb file to open it in the Software Centre. From here, it’s a simple case of clicking Install, entering your user password and waiting for the process to complete.
Get Duplicati set up
To run Duplicati via its graphical user interface in your web browser, open Launcher and click the Duplicati icon under All Items. You’ll be whisked to http:// localhost:8200/index.html in your browser to be greeted by the setup wizard. You’ll also see a Duplicati icon appear in your menu bar for convenient access.
If you install Duplicati on a shared PC, then everyone has access to it, so you’ll first be asked to set up a password to restrict access to the program’s web interface. Click Yes to visit the Settings screen. This enables you to review the program’s main settings and tighten security where necessary.
After entering your (optional) password you’ll see an ‘Allow remote access’ option. Selecting this means you can administer Duplicati on your PC from other computers on your local network, but you should add that password. Note that if you enable remote access, you won’t be prompted for the password when launching Duplicati from its menu-bar icon unless you also tick ‘Prevent tray icon automatic log-in’.
Most other options can be left alone, but if you scroll down to the bottom you’ll see options to add advanced settings to your Duplicati setup – these mirror options you can access from the command line, and some of the more useful ones are covered in the final boxout.
Back up your data
Once you’ve configured Duplicati to your tastes, click OK to return to the main screen. You’re now ready to set up your first back-up job – the step-by-step guide takes you through the basics. When it comes to choosing encryption from the first page of options, the AES-256 built-in option is the simplest, but you can choose GNU Privacy Guard if you want to use your own encryption key – use a tool like GNU Privacy Assistant ( sudo apt-get install gpa ) to generate it, then select ‘GNU Privacy Guard, external’ from the Encryption drop-down menu.
When it comes to selecting what to back up, you can exclude unnecessary files from folders using a combination of simple (Exclude) and complex (Filter). Exclude options include simple tick boxes to ignore hidden, system and temporary files, plus an option to ignore files over a user-specified size. The Filter option involves a combination of keywords or wildcards with a choice of exclude or include filters, such as ‘Exclude directories whose names contain’. You can add as many filters as you need, but be careful setting these – you may end up excluding files you want to protect.
When it comes to setting the ‘remote volume size’, this splits your backups into groups of compressed volumes no larger than 50MB each. It’s optimised for home users with ‘limited upload speeds’ – if you’re willing to increase the risk of corruption, then consider increasing the size of each volume to 200 or even 500MB. Note Duplicati does verify a small part of the uploaded data, but it’s a good idea to perform occasional manual verifications. Larger volumes mean fewer files, which can have performance benefits on some servers while avoiding hitting file limits on others. If your connection isn’t particularly stable, however, consider decreasing the volume size instead.
Set bandwidth limits
Your first back-up job will appear, ready to start at the time you’ve set. You’ll see a ‘Run now’ shortcut next to it, but before launching this, click the speedometer icon to limit how much internet bandwidth Duplicati can use. You need to limit the amount of upload bandwidth – unlimited upload speeds will slow your internet connection to a crawl for all other online devices.
We recommend capping your upload speed to 50 per cent of your available bandwidth. So, for example, a 5Mbits/s connection is the equivalent of around 625KB/S, so cap the upload speed to 300KB/S.
Two further tweaks are required to enforce this limit presently: first, you need to tick the box to set a download limit (this can be left at 10Mbyte/s), then set a hidden option. Go to Settings, scroll down to ‘Default options’ and click ‘Pick an option’ next to ‘Add advanced option’. Select ‘Asynchronous-concurrent-upload-limit’ under Core Options and set it to 1. Click OK, then click ‘Run now’ to launch your backup.
When backups are running, a progress bar appears at the top of the screen indicating the current upload speed and how many files (and amount of data) remains to be transferred. You’ll see options for cancelling the current operation and pausing it should you need to free up more internet bandwidth for other tasks. When halting a task for any reason, choose ‘Stop after current file’ to allow the current volume to be uploaded and prevent possible data corruption.
You can add as many back-up jobs as you need from here (although you should stagger them so they don’t attempt to all run at once) – edit an existing back-up job
by clicking the down arrow next to its name to reveal a list of options. Choose Edit under Configuration to access the same wizard you used to set up the backup and make whatever changes you need.
Restore backups
The unthinkable has happened, and you’ve lost data. If you’ve not lost your Linux installation in the process, then simply open Duplicati, expand the relevant back-up job and click ‘Restore files’ under Operations. If you’ve had to reinstall Duplicati from scratch on a new computer or install, then you have two options.
The first – and simplest – depends on whether you exported a copy of your configuration file following the advice in the top tip. If you did, select ‘Restore from configuration’ and click Next to select your backed-up configuration file and enter your password. On clicking Next, the back-up job should be restored, and you can start the restoration process from there.
If you didn’t back up the configuration file, choose ‘Restore>direct restore from back-up files…’ and click
Next. This is basically a similar process to setting up your backup: choose your provider, enter the destination path and link to the account. You then input the password you used to encrypt the backup and that will unlock its contents for restoration.
Whichever restoration option you choose, you can then choose what folders to restore using the file picker. You can search for specific files and folders by keyword too. If you have multiple versions backed up, you can use the ‘Restore from’ drop-down menu to select an earlier version if you wish, although in disaster-recovery cases you’d leave the latest version selected.
Once you’ve made your selection, click Continue. You can restore to the original location or select a folder path to restore to (click Browse to select it using the file picker). By default, existing files will be overwritten, but you can also save a copy with a timestamp in the specified location. Look out for the ‘Restore read/write permissions’ box – ordinarily you’ll want to preserve these, so tick this before clicking Restore and waiting for the files to be copied back to your PC.