Generate Google Gs_access_key_id

Posted on by
  1. Generate Google Gs_access_key_id Download
  2. Generate Google Gs_access_key_id Online
  3. Generate Google Gs_access_key_id App
  4. Generate Google Gs_access_key_id Account
  • Examples
  • This module allows users to manage their objects/buckets in Google Cloud Storage. It allows upload and download operations and can set some canned permissions. It also allows retrieval of URLs for objects for use in playbooks, and retrieval of string contents of objects. This module requires setting the default project in GCS prior to playbook usage. See https://developers.google.com/storage/docs/reference/v1/apiversion1 for information about setting the default project.

This module allows users to manage their objects/buckets in Google Cloud Storage. It allows upload and download operations and can set some canned permissions. It also allows retrieval of URLs for objects for use in playbooks, and retrieval of string contents of objects. This module requires setting the default project in GCS prior to playbook. Mar 03, 2020 Google then provides information you'll need later, such as a client ID and a client secret. Activate the Cloud Storage JSON API in the Google Cloud Console. (If the API isn't listed in the Cloud Console, then skip this step.) When your application needs access to user data, it asks Google for a particular scope of access. Feb 18, 2019  Create bucket using Google Cloud Console and set appropriate permissions. STATICBUCKETNAME: Name of the bucket to collect static files (mandatory if COLLECTSTATICFILESONSTORAGE is set to true) GSACCESSKEYID: Google Cloud Access Key. How to create Access Keys on Google Cloud Storage; GSSECRETACCESSKEY: Google Cloud Secret. Gsaccesskeyid and gssecretaccesskey can be generated by navigating to your Google Cloud Storage console and clicking on APIs & services/Credentials.On this page you can now click Create credentials/OAuth client ID to generate an access key and a matching secret. Sep 29, 2016  # Google OAuth2 credentials are managed by the Cloud SDK and # do not need to be present in this file. So one documentation says you have to configure.boto file, while the.boto file itself says credentials do not need to be present in this file. May 30, 2019  The goal is to create an Ansible role as a blueprint for Mongo-DB and MySQL-DB and create any number of databases from that. This way of reusing an. Google Cloud Storage: What Is Google Cloud Storage? Google Cloud Storage is a RESTful service for storing and accessing your data on Google's infrastructure. The service combines the performance and scalability of Google's cloud with advanced security and sharing capabilities.

parameterrequireddefaultchoicescomments
bucket
yes
Bucket name.
dest
no
The destination file path when downloading an object/key with a GET operation.
expiration
no
Time limit (in seconds) for the URL generated and returned by GCA when performing a mode=put or mode=get_url operation. This url is only available when public-read is the acl for the object.
force
noTrue
Forces an overwrite either locally on the filesystem or remotely with the object/key. Used with PUT and GET operations.

aliases: overwrite
gs_access_key
yes
GS access key. If not set then the value of the GS_ACCESS_KEY_ID environment variable is used.
gs_secret_key
yes
GS secret key. If not set then the value of the GS_SECRET_ACCESS_KEY environment variable is used.
headers
no{}
Headers to attach to object.
mode
yes
  • get
  • put
  • get_url
  • get_str
  • delete
  • create
Switches the module behaviour between upload, download, get_url (return download url) , get_str (download object as string), create (bucket) and delete (bucket).
object
no
Keyname of the object inside the bucket. Can be also be used to create 'virtual directories' (see examples).
permission
noprivate
This option let's the user set the canned permissions on the object/bucket that are created. The permissions that can be set are 'private', 'public-read', 'authenticated-read'.
src
no
The source file path when performing a PUT operation.

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

This module is community maintained without core committer oversight.

For more information on what this means please read Module Support

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Helping Testing PRs and Developing Modules.

Table of Contents

Name

duplicity - Encrypted incremental backup to local or remote storage.

Synopsis

For detailed descriptions for each command see chapter ACTIONS.

duplicity [full incremental][options] source_directory target_url

duplicityverify[options] [--compare-data] [--file-to-restore <relpath>] [--time time] source_url

Generate Google Gs_access_key_id Download

target_directory

duplicity collection-status[options] [--file-changed <relpath>]

target_url

duplicity list-current-files[options] [--time time] target_url

duplicity [restore][options] [--file-to-restore <relpath>] [--time time] source_url

target_directory

duplicity remove-older-than <time>[options] [--force] target_url

duplicity remove-all-but-n-full <count>[options] [--force] target_url

duplicityremove-all-inc-of-but-n-full <count>[options] [--force] target_url

duplicity cleanup[options] [--force] target_url

duplicity replicate[options] [--time time]

source_url target_url

Description

Duplicity incrementally backs up filesand folders into tar-format volumes encrypted with GnuPG and places themto a remote (or local) storage backend. See chapter URL FORMAT for a listof all supported backends and how to address them. Because duplicity useslibrsync, incremental backups are space efficient and only record the partsof files that have changed since the last backup. Currently duplicity supportsdeleted files, full Unix permissions, uid/gid, directories, symbolic links,fifos, etc., but not hard links.

If you are backing up the root directory/, remember to --exclude /proc, or else duplicity will probably crash onthe weird stuff in there.

Examples

Here is an example of a backup, usingsftp to back up /home/me to some_dir on the other.host machine:
duplicity/home/me sftp://uid@other.host/some_dir
If the above is run repeatedly,the first will be a full backup, and subsequent ones will be incremental.To force a full backup, use the full action:
duplicity full /home/me sftp://uid@other.host/some_dir
or enforcing a full every other time via --full-if-older-than <time> , e.g. a fullevery month:
duplicity --full-if-older-than 1M /home/me sftp://uid@other.host/some_dir
Now suppose we accidentally delete /home/me and want to restore it theway it was at the time of last backup:
duplicity sftp://uid@other.host/some_dir/home/me
Duplicity enters restore mode because the URL comes before thelocal directory. If we wanted to restore just the file 'Mail/article' in/home/me as it was three days ago into /home/me/restored_file:
duplicity-t 3D --file-to-restore Mail/article sftp://uid@other.host/some_dir /home/me/restored_file
The following command compares the latest backup with the current files:
duplicity verify sftp://uid@other.host/some_dir /home/me
Finally, duplicityrecognizes several include/exclude options. For instance, the followingwill backup the root directory, but exclude /mnt, /tmp, and /proc:
duplicity--exclude /mnt --exclude /tmp --exclude /proc / file:///usr/local/backup
Notethat in this case the destination is the local directory /usr/local/backup. The following will backup only the /home and /etc directories under root:
duplicity --include /home --include /etc --exclude ’**’ / file:///usr/local/backup
Duplicity can also access a repository via ftp. If a user name is given,the environment variable FTP_PASSWORD is read to determine the password:

FTP_PASSWORD=mypassword duplicity /local/dir ftp://user@other.host/some_dir

Actions

Duplicity knows action commands, which can be finetuned with options.
The actions for backup (full,incr) and restoration (restore) can as wellbe left out as duplicity detects in what mode it should switch to by theorder of target URL and local folder. If the target URL comes before thelocal folder a restore is in order, is the local folder before target URLthen this folder is about to be backed up to the target URL.
If a backup is in order and old signatures can be found duplicity automaticallyperforms an incremental backup.

Note: The following explanations explainsome but not all options that can be used in connection with that actioncommand. Consult the OPTIONS section for more detailed informations.

full<folder> <url>
Perform a full backup. A new backup chain is started even ifsignatures are available for an incremental backup.
incr <folder> <url>
Ifthis is requested an incremental backup will be performed. Duplicity willabort if no old signatures can be found.
verify [--compare-data] [--time <time>][--file-to-restore <rel_path>] <url> <local_path>
Verify tests the integrity of thebackup archives at the remote location by downloading each file and checkingboth that it can restore the archive and that the restored file matchesthe signature of that file stored in the backup, i.e. compares the archivedfile with its hash value from archival time. Verify does not actually restoreand will not overwrite any local files. Duplicity will exit with a non-zeroerror level if any files do not match the signature stored in the archivefor that file. On verbosity level 4 or higher, it will log a message foreach file that differs from the stored signature. Files must be downloadedto the local machine in order to compare them. Verify does not compare thebacked-up version of the file to the current local copy of the files unlessthe --compare-data option is used (see below).
The --file-to-restore option restricts verify to that file or folder. The --timeoption allows to select a backup to verify. The --compare-data option enablesdata comparison (see below).
collection-status [--file-changed <relpath>]<url>
Summarize the status of the backup repository by printing the chains andsets found, and the number of volumes in each.
list-current-files [--time <time>]<url>
Lists the files contained in the most current backup or backup at time.The information will be extracted from the signature files, not the archivedata itself. Thus the whole archive does not have to be downloaded, buton the other hand if the archive has been deleted or corrupted, this commandwill not detect it.
restore [--file-to-restore <relpath>] [--time <time>] <url> <target_folder>
You can restore the full monty or selected folders/files from a specifictime. Use the relative path as it is printed by list-current-files. Usuallynot needed as duplicity enters restore mode when it detects that the URLcomes before the local folder.
remove-older-than <time> [--force] <url>
Deleteall backup sets older than the given time. Old backup sets will not bedeleted if backup sets newer than time depend on them. See the TIME FORMATSsection for more information. Note, this action cannot be combined withbackup or other actions, such as cleanup. Note also that --force will beneeded to delete the files instead of just listing them.
remove-all-but-n-full<count> [--force] <url>
Delete all backups sets that are older than the count:thlast full backup (in other words, keep the last count full backups andassociated incremental sets). count must be larger than zero. A value of1 means that only the single most recent backup chain will be kept. Notethat --force will be needed to delete the files instead of just listing them.
remove-all-inc-of-but-n-full <count> [--force] <url>
Delete incremental sets of allbackups sets that are older than the count:th last full backup (in otherwords, keep only old full backups and not their increments). count mustbe larger than zero. A value of 1 means that only the single most recentbackup chain will be kept intact. Note that --force will be needed to deletethe files instead of just listing them.
cleanup [--force] <url>
Delete theextraneous duplicity files on the given backend. Non-duplicity files, orfiles in complete data sets will not be deleted. This should only be necessaryafter a duplicity session fails or is aborted prematurely. Note that --forcewill be needed to delete the files instead of just listing them.
replicate[--time time] <source_url> <target_url>
Replicate backup sets from source totarget backend. Files will be (re)-encrypted and (re)-compressed dependingon normal backend options. Signatures and volumes will not get recomputed,thus options like --volsize or --max-blocksize have no effect. When --time timeis given, only backup sets older than time will be replicated.

Options

--allow-source-mismatch
Do not abort on attempts to use the same archive diror remote backend to back up different directories. duplicity will tellyou if you need this switch.
--archive-dir path
The archive directory. NOTE:This option changed in 0.6.0. The archive directory is now necessary in orderto manage persistence for current and future enhancements. As such, thisoption is now used only to change the location of the archive directory. The archive directory should not be deleted, or duplicity will have torecreate it from the remote repository (which may require decrypting thebackup contents).

When backing up or restoring, this option specifies thatthe local archive directory is to be created in path. If the archive directoryis not specified, the default will be to create the archive directory in~/.cache/duplicity/.

The archive directory can be shared between backupsto multiple targets, because a subdirectory of the archive dir is usedfor individual backups (see --name ).

Generate Google Gs_access_key_id Online

The combination of archive directoryand backup name must be unique in order to separate the data of differentbackups.

The interaction between the --archive-dir and the --name options allowsfor four possible combinations for the location of the archive dir:

1.
neitherspecified (default) ~/.cache/duplicity/
hash-of-url
2.
--archive-dir=/arch, no --name /arch/
hash-of-url
3.
no --archive-dir, --name=foo ~/.cache/duplicity/foo
4.
--archive-dir=/arch, --name=foo /arch/foo
--asynchronous-upload
(EXPERIMENTAL) Perform file uploads asynchronouslyin the background, with respect to volume creation. This means that duplicitycan upload a volume while, at the same time, preparing the next volumefor upload. The intended end-result is a faster backup, because the localCPU and your bandwidth can be more consistently utilized. Use of this optionimplies additional need for disk space in the temporary storage location;rather than needing to store only one volume at a time, enough storagespace is required to store two volumes.
--backend-retry-delay number
Specifiesthe number of seconds that duplicity waits after an error has occured beforeattempting to repeat the operation.
--cf-backend backend
Allows the explicitselection of a cloudfiles backend. Defaults to pyrax. Alternatively you mightchoose cloudfiles.
--compare-data
Enable data comparison of regular fileson action verify. This conducts a verify as described above to verify theintegrity of the backup archives, but additionally compares restored filesto those in target_directory. Duplicity will not replace any files in target_directory.Duplicity will exit with a non-zero error level if the files do not correctlyverify or if any files from the archive differ from those in target_directory.On verbosity level 4 or higher, it will log a message for each file thatdiffers from its equivalent in target_directory.
--copy-links
Resolve symlinksduring backup. Enabling this will resolve & back up the symlink’s file/folderdata instead of the symlink itself, potentially increasing the size ofthe backup.
--dry-run
Calculate what would be done, but do not perform any

backend actions

--encrypt-key key-id
When backing up, encrypt to the givenpublic key, instead of using symmetric (traditional) encryption. Can bespecified multiple times. The key-id can be given in any of the formats supportedby GnuPG; see gpg(1), section 'HOW TO SPECIFY A USER ID' for details.
--encrypt-secret-keyring filename
This option can only be used with --encrypt-key,and changes the path to the secret keyring for the encrypt key to filenameThis keyring is not used when creating a backup. If not specified, the default

secret keyring is used which is usually located at .gnupg/secring.gpg

--encrypt-sign-keykey-id
Convenience parameter. Same as --encrypt-keykey-id--sign-keykey-id.
--excludeshell_pattern
Exclude the file or files matched by shell_pattern. If a directoryis matched, then files under that directory will also be matched. See theFILE SELECTION section for more information.
--exclude-device-files
Excludeall device files. This can be useful for security/permissions reasons orif duplicity is not handling device files correctly.
--exclude-filelist filename
Excludes the files listed in filename, with each line of the filelist interpretedaccording to the same rules as --include and --exclude. See the FILE SELECTIONsection for more information.
--exclude-if-present filename
Exclude directoriesif filename is present. Allows the user to specify folders that they donot wish to backup by adding a specified file (e.g. '.nobackup') instead ofmaintaining a comprehensive exclude/include list.
--exclude-older-than time
Exclude any files whose modification date is earlier than the specifiedtime. This can be used to produce a partial backup that contains only recentlychanged files. See the TIME FORMATS section for more information.
--exclude-other-filesystems
Exclude files on file systems (identified by device number) other thanthe file system the root of the source directory is on.
--exclude-regexp regexp
Exclude files matching the given regexp. Unlike the --exclude option, thisoption does not match files in a directory it matches. See the FILE SELECTIONsection for more information.
--file-prefix, --file-prefix-manifest, --file-prefix-archive,--file-prefix-signature
Adds a prefix to all files, manifest files, archivefiles, and/or signature files.

The same set of prefixes must be passedin on backup and restore.

If both global and type-specific prefixes areset, global prefix will go before type-specific prefixes.

See also A NOTE

ON FILENAME PREFIXES

--file-to-restore path
This option may be given in restoremode, causing only path to be restored instead of the entire contents ofthe backup archive. path should be given relative to the root of the directorybacked up.
--full-if-older-than time
Perform a full backup if an incrementalbackup is requested, but the latest full backup in the collection is olderthan the given time. See the TIME FORMATS section for more information.
--force
Proceed even if data loss might result. Duplicity will let the userknow when this option is required.
--ftp-passive
Use passive (PASV) data connections. The default is to use passive, but to fallback to regular if the passiveconnection fails or times out.
--ftp-regular
Use regular (PORT) data connections.
--gio
Use the GIO backend and interpret any URLs as GIO would.
--hidden-encrypt-keykey-id
Same as --encrypt-key, but it hides user’s key id from encrypted file.It uses the gpg’s --hidden-recipient command to obfuscate the owner of thebackup. On restore, gpg will automatically try all available secret keysin order to decrypt the backup. See gpg(1) for more details.
--ignore-errors
Try to ignore certain errors if they happen. This option is only intendedto allow the restoration of a backup in the face of certain problems thatwould otherwise cause the backup to fail. It is not ever recommended touse this option unless you have a situation where you are trying to restorefrom backup and it is failing because of an issue which you want duplicityto ignore. Even then, depending on the issue, this option may not have aneffect.

Please note that while ignored errors will be logged, there willbe no summary at the end of the operation to tell you what was ignored,if anything. If this is used for emergency restoration of data, it is recommendedthat you run the backup in such a way that you can revisit the backup log(look for lines containing the string IGNORED_ERROR).

If you ever haveto use this option for reasons that are not understood or understood butnot your own responsibility, please contact duplicity maintainers. The needto use this option under production circumstances would normally be considereda bug.

--imap-full-address email_address
The full email address of the username when logging into an imap server. If not supplied just the user namepart of the email address is used.
--imap-mailbox option
Allows you to specifya different mailbox. The default is 'INBOX'. Other languages may requirea different mailbox than the default.
--gpg-binary file_path
Allows you toforce duplicity to use file_path as gpg command line binary. Can be an absoluteor relative file path or a file name. Default value is ’gpg’. The binary willbe localized via the PATH environment variable.
--gpg-options options
Allowsyou to pass options to gpg encryption. The options list should be of theform '--opt1 --opt2=parm' where the string is quoted and the only spaces allowedare between options.
--include shell_pattern
Similar to --exclude but includematched files instead. Unlike --exclude, this option will also match parentdirectories of matched files (although not necessarily their contents). See the FILE SELECTION section for more information.
--include-filelist filename
Like --exclude-filelist, but include the listed files instead. See the FILESELECTION section for more information.
--include-regexp regexp
Include filesmatching the regular expression regexp. Only files explicitly matched byregexp will be included by this option. See the FILE SELECTION sectionfor more information.
--log-fd number
Write specially-formatted versions ofoutput messages to the specified file descriptor. The format used is designedto be easily consumable by other programs.
--log-file filename
Write specially-formattedversions of output messages to the specified file. The format used is designedto be easily consumable by other programs.
--max-blocksize number
determinesthe number of the blocks examined for changes during the diff process. Forfiles < 1MB the blocksize is a constant of 512. For files over 1MB the sizeis given by:

file_blocksize = int((file_len / (2000 * 512)) * 512)
return min(file_blocksize, globals.max_blocksize)

where globals.max_blocksizedefaults to 2048. If you specify a larger max_blocksize, your difftar fileswill be larger, but your sigtar files will be smaller. If you specify asmaller max_blocksize, the reverse occurs. The --max-blocksize option shouldbe in multiples of 512.

--name symbolicname
Set the symbolic name of thebackup being operated on. The intent is to use a separate name for eachlogically distinct backup. For example, someone may use 'home_daily_s3'for the daily backup of a home directory to Amazon S3. The structure ofthe name is up to the user, it is only important that the names be distinct.The symbolic name is currently only used to affect the expansion of --archive-dir, but may be used for additional features in the future. Users running morethan one distinct backup are encouraged to use this option.

If not specified,the default value is a hash of the backend URL.

--no-compression
Do not useGZip to compress files on remote system.
--no-encryption
Do not use GnuPGto encrypt files on remote system.
--no-print-statistics
By default duplicitywill print statistics about the current session after a successful backup. This switch disables that behavior.
--null-separator
Use nulls (0) insteadof newlines (n) as line separators, which may help when dealing with filenamescontaining newlines. This affects the expected format of the files specifiedby the --{include exclude}-filelist switches as well as the format of the directorystatistics file.
--numeric-owner
On restore always use the numeric uid/gidfrom the archive and not the archived user/group names, which is the defaultbehaviour. Recommended for restoring from live cds which might have theusers with identical names but different uids/gids.
--num-retries number
Numberof retries to make on errors before giving up.
--old-filenames
Use the oldfilename format (incompatible with Windows/Samba) rather than the new filenameformat.
--par2-options options
Verbatim options to pass to par2.
--par2-redundancypercent
Adjust the level of redundancy in percent for Par2 recovery files(default 10%).
--progress
When selected, duplicity will output the currentupload progress and estimated upload time. To annotate changes, it willperform a first dry-run before a full or incremental, and then runs thereal operation estimating the real upload progress.
--progress-rate number
Sets the update rate at which duplicity will output the upload progressmessages (requires --progress option). Default is to print the status each3 seconds.
--rename <original path> <new path>
Treats the path orig in the backupas if it were the path new. Can be passed multiple times. An example:

duplicity

restore --rename Documents/metal Music/metal sftp://uid@other.host/some_dir

/home/me

--rsync-options options
Allows you to pass options to the rsyncbackend. The options list should be of the form 'opt1=parm1 opt2=parm2'where the option string is quoted and the only spaces allowed are betweenoptions. The option string will be passed verbatim to rsync, after any internallygenerated option designating the remote port to use. Here is a possiblyuseful example:

duplicity --rsync-options='--partial-dir=.rsync-partial' /home/me

rsync://uid@other.host/some_dir

--s3-european-buckets
When using the AmazonS3 backend, create buckets in Europe instead of the default (requires --s3-use-new-style). Also see the EUROPEAN S3 BUCKETS section.

This option does not applywhen using the newer boto3 backend, which does not create buckets.

Seealso A NOTE ON AMAZON S3 below.

--s3-unencrypted-connection
Don’t use SSL forconnections to S3.

This may be much faster, at some cost to confidentiality.

With this option, anyone who can observe traffic between your computerand S3 will be able to tell: that you are using Duplicity, the name ofthe bucket, your AWS Access Key ID, the increment dates and the amountof data in each increment.

This option affects only the connection, notthe GPG encryption of the backup increment files. Unless that is disabled,an observer will not be able to see the file names or contents.

This optionis not available when using the newer boto3 backend.

See also A NOTE ONAMAZON S3 below.

--s3-use-new-style
When operating on Amazon S3 buckets, usenew-style subdomain bucket addressing. This is now the preferred method toaccess Amazon S3, but is not backwards compatible if your bucket name containsupper-case characters or other characters that are not valid in a hostname.

This option has no effect when using the newer boto3 backend, which willalways use new style subdomain bucket naming.

See also A NOTE ON AMAZONS3 below.

--s3-use-rrs
Store volumes using Reduced Redundancy Storage whenuploading to Amazon S3. This will lower the cost of storage but also lowerthe durability of stored volumes to 99.99% instead the 99.999999999% durabilityoffered by Standard Storage on S3.
--s3-use-ia
Store volumes using Standard- Infrequent Access when uploading to Amazon S3. This storage class has alower storage cost but a higher per-request cost, and the storage cost iscalculated against a 30-day storage minimum. According to Amazon, this storageis ideal for long-term file storage, backups, and disaster recovery.
--s3-use-onezone-ia
Store volumes using One Zone - Infrequent Access when uploading to AmazonS3. This storage is similar to Standard - Infrequent Access, but only storesobject data in one Availability Zone.
--s3-use-glacier
Store volumes usingGlacier S3 when uploading to Amazon S3. This storage class has a lower costof storage but a higher per-request cost along with delays of up to 12 hoursfrom the time of retrieval request. This storage cost is calculated againsta 90-day storage minimum. According to Amazon this storage is ideal for dataarchiving and long-term backup offering 99.999999999% durability. To restorea backup you will have to manually migrate all data stored on AWS Glacierback to Standard S3 and wait for AWS to complete the migration. Notice:Duplicity will store the manifest.gpg files from full and incremental backupson AWS S3 standard storage to allow quick retrieval for later incrementalbackups, all other data is stored in S3 Glacier.
--s3-use-deep-archive
Storevolumes using Glacier Deep Archive S3 when uploading to Amazon S3. Thisstorage class has a lower cost of storage but a higher per-request costalong with delays of up to 48 hours from the time of retrieval request.This storage cost is calculated against a 180-day storage minimum. Accordingto Amazon this storage is ideal for data archiving and long-term backupoffering 99.999999999% durability. To restore a backup you will have to manuallymigrate all data stored on AWS Glacier Deep Archive back to Standard S3and wait for AWS to complete the migration. Notice: Duplicity will storethe manifest.gpg files from full and incremental backups on AWS S3 standardstorage to allow quick retrieval for later incremental backups, all otherdata is stored in S3 Glacier Deep Archive.

Glacier Deep Archive is onlyavailable when using the newer boto3 backend.

--s3-use-multiprocessing
Allowmultipart volumne uploads to S3 through multiprocessing. This option requiresPython 2.6 and can be used to make uploads to S3 more efficient. If enabled,files duplicity uploads to S3 will be split into chunks and uploaded inparallel. Useful if you want to saturate your bandwidth or if large filesare failing during upload.

This has no effect when using the newer boto3backend. Boto3 always attempts to multiprocessing when it is believed itwill be more efficient.

See also A NOTE ON AMAZON S3 below.

--s3-use-server-side-encryption

Allow use of server side encryption in S3

--s3-multipart-chunk-size
Chunk size(in MB) used for S3 multipart uploads. Make this smaller than --volsize tomaximize the use of your bandwidth. For example, a chunk size of 10MB witha volsize of 30MB will result in 3 chunks per volume upload.

This has noeffect when using the newer boto3 backend.

See also A NOTE ON AMAZON S3below.

--s3-multipart-max-procs
Specify the maximum number of processes to spawnwhen performing a multipart upload to S3. By default, this will choose thenumber of processors detected on your system (e.g. 4 for a 4-core system).You can adjust this number as required to ensure you don’t overload yoursystem while maximizing the use of your bandwidth.

This has no effect whenusing the newer boto3 backend.

See also A NOTE ON AMAZON S3 below.

--s3-multipart-max-timeout
You can control the maximum time (in seconds) a multipart upload can spendon uploading a single chunk to S3. This may be useful if you find your systemhanging on multipart uploads or if you’d like to control the time variancewhen uploading to S3 to ensure you kill connections to slow S3 endpoints.

This has no effect when using the newer boto3 backend.

See also A NOTEON AMAZON S3 below.

--azure-blob-tier
Standard storage tier used for backupfiles (Hot Cool Archive).
--azure-max-single-put-size
Specify the number of thelargest supported upload size where the Azure library makes only one putcall. If the content size is known and below this value the Azure librarywill only perform one put request to upload one block. The number is expectedto be in bytes.
--azure-max-block-size
Specify the number for the block sizeused by the Azure library to upload blobs if it is split into multipleblocks. The maximum block size the service supports is 104857600 (100MiB)and the default is 4194304 (4MiB)
--azure-max-connections
Specify the numberof maximum connections to transfer one blob to Azure blob size exceeds64MB. The default values is 2.
--scp-command command
(only ssh pexpect backendwith --use-scp enabled) The command will be used instead of 'scp' to sendor receive files. To list and delete existing files, the sftp command isused.
See also A NOTE ON SSH BACKENDS section SSH pexpect backend.
--sftp-commandcommand
(only ssh pexpect backend) The command will be used instead of'sftp'.
See also A NOTE ON SSH BACKENDS section SSH pexpect backend.
--short-filenames
If this option is specified, the names of the files duplicity writes willbe shorter (about 30 chars) but less understandable. This may be usefulwhen backing up to MacOS or another OS or FS that doesn’t support long filenames.
--sign-key key-id
This option can be used when backing up, restoring or verifying.When backing up, all backup files will be signed with keyid key. When restoring,duplicity will signal an error if any remote file is not signed with thegiven key-id. The key-id can be given in any of the formats supported by GnuPG;see gpg(1), section 'HOW TO SPECIFY A USER ID' for details. Should be specifiedonly once because currently only one signing key is supported. Last entryoverrides all other entries.

See also A NOTE ON SYMMETRIC ENCRYPTION AND SIGNING

--ssh-askpass
Tells thessh backend to prompt the user for the remote system password, if it wasnot defined in target url and no FTP_PASSWORD env var is set. This passwordis also used for passphrase-protected ssh keys.
--ssh-options options
Allowsyou to pass options to the ssh backend. Can be specified multiple timesor as a space separated options list. The options list should be of theform '-oOpt1=’parm1’ -oOpt2=’parm2’' where the option string is quoted and theonly spaces allowed are between options. The option string will be passedverbatim to both scp and sftp, whose command line syntax differs slightlyhence the options should therefore be given in the long option format describedin ssh_config(5).

example of a list:

duplicity --ssh-options='-oProtocol=2-oIdentityFile=’/my/backup/id’' /home/me scp://user@host/some_dir

examplewith multiple parameters:

duplicity --ssh-options='-oProtocol=2' --ssh-options='-oIdentityFile=’/my/backup/id’'

/home/me scp://user@host/some_dir

NOTE: The ssh paramiko backend currentlysupports only the -i or -oIdentityFile setting. If needed provide more hostspecific options via ssh_config file.

--ssl-cacert-file file
(only webdav &lftp backend) Provide a cacert file for ssl certificate verification.
See also A NOTE ON SSL CERTIFICATE VERIFICATION.
--ssl-cacert-path path/to/certs/
(only webdav backend and python 2.7.9+ OR lftp+webdavs and a recent lftp)Provide a path to a folder containing cacert files for ssl certificateverification.
See also A NOTE ON SSL CERTIFICATE VERIFICATION.
--ssl-no-check-certificate
(only webdav & lftp backend) Disable ssl certificate verification.
See also A NOTE ON SSL CERTIFICATE VERIFICATION.
--swift-storage-policy
Usethis storage policy when operating on Swift containers.
See also A NOTE ON SWIFT (OPENSTACK OBJECT STORAGE) ACCESS.
--metadata-sync-modemode
This option defaults to ’partial’, but you can set it to ’full’
Use ’partial’ to avoid syncing metadata for backup chains that you are notgoing to use. This saves time when restoring for the first time, and letsyou restore an old backup that was encrypted with a different passphraseby supplying only the target passphrase.
Use ’full’ to sync metadata for all backup chains on the remote.
--tempdirdirectory
Use this existing directory for duplicity temporary files insteadof the system default, which is usually the /tmp directory. This optionsupersedes any environment variable.
See also ENVIRONMENT VARIABLES.
-ttime, --time time, --restore-time time
Specifythe time from which to restore or list files.
--time-separator char
Use charas the time separator in filenames instead of colon (':').
--timeout seconds
Use seconds as the socket timeout value if duplicity begins to timeoutduring network operations. The default is 30 seconds.
--use-agent
If thisoption is specified, then --use-agent is passed to the GnuPG encryption processand it will try to connect to gpg-agent before it asks for a passphrasefor --encrypt-key or --sign-key if needed.
Note: Contrary to previous versions of duplicity, this option will alsobe honored by GnuPG 2 and newer versions. If GnuPG 2 is in use, duplicitypasses the option --pinentry-mode=loopback to the the gpg process unless --use-agentis specified on the duplicity command line. This has the effect that GnuPG2 uses the agent only if --use-agent is given, just like GnuPG 1.
--verbositylevel, -vlevel
Specify output verbosity level (log level). Named levels andcorresponding values are 0 Error, 2 Warning, 4 Notice (default), 8 Info,9 Debug (noisiest).
level may also be
a character: e, w, n, i, d
a word: error, warning, notice, info, debug

The options -v4, -vn and -vnoticeare functionally equivalent, as are the mixed/upper-case versions -vN, -vNoticeand -vNOTICE.

--version
Print duplicity’s version and quit.
--volsize number
Change the volume size to number MB. Default is 200MB.

Environment Variables

TMPDIR, TEMP, TMP
In decreasing order of importance, specifies the directoryto use for temporary files (inherited from Python’s tempfile module). Eventuallythe option --tempdir supercedes any of these.
FTP_PASSWORD
Supported by mostbackends which are password capable. More secure than setting it in thebackend url (which might be readable in the operating systems process listingto other users on the same machine).
PASSPHRASE
This passphrase is passedto GnuPG. If this is not set, the user will be prompted for the passphrase.
SIGN_PASSPHRASE
The passphrase to be used for --sign-key. If ommitted and signkey is also one of the keys to encrypt against PASSPHRASE will be reusedinstead. Otherwise, if passphrase is needed but not set the user will beprompted for it.

URL Format

Duplicity uses the URL format (as standard aspossible) to define data locations. The generic format for a URL is:
scheme://[user[:password]@]host[:port]/[/]path
It is not recommended to expose the password on the command line sinceit could be revealed to anyone with permissions to do process listings,it is permitted however. Consider setting the environment variable FTP_PASSWORDinstead, which is used by most, if not all backends, regardless of it’sname.

In protocols that support it, the path may be preceded by a singleslash, ’/path’, to represent a relative path to the target home directory,or preceded by a double slash, ’//path’, to represent an absolute filesystempath.

Note:

Scheme (protocol) access may be provided by more than one backend.In case the default backend is buggy or simply not working in a specificcase it might be worth trying an alternative implementation. Alternativebackends can be selected by prefixing the scheme with the name of the alternativebackend e.g. ncftp+ftp:// and are mentioned below the scheme’s syntax summary.

Formats of each of the URL schemes follow:

Amazon Drive Backend

ad://some_dir

See also A NOTE ON AMAZON DRIVE

Azure

azure://container-name

See also ANOTE ON AZURE ACCESS

B2

b2://account_id[:application_key]@bucket_name/[folder/]

Cloud Files (Rackspace)

cf+http://container_name

See also A NOTE ON CLOUDFILES ACCESS

Generate Google Gs_access_key_id App

Dropbox

dpbx:///some_dir

Make sure to read A NOTE ON DROPBOXACCESS first!

Local file path

file://[relative /absolute]/local/path

FISH(Files transferred over Shell protocol) over ssh

fish://user[:password]@other.host[:port]/[relative /absolute]_path

FTP

ftp[s]://user[:password]@other.host[:port]/some_dir

NOTE: use lftp+,ncftp+ prefixes to enforce a specific backend, default is lftp+ftp://...

Gs_access_key_id

GoogleDocs

gdocs://user[:password]@other.host/some_dir

NOTE: use pydrive+, gdata+prefixes to enforce a specific backend, default is pydrive+gdocs://...

GoogleCloud Storage

gs://bucket[/prefix]

HSI

hsi://user[:password]@other.host/some_dir

hubiC

cf+hubic://container_name

See also A NOTE ON HUBIC

IMAP email storage

imap[s]://user[:password]@host.com[/from_address_prefix]

See also A NOTEON IMAP

Mega cloud storage

mega://user[:password]@mega.co.nz/some_dir

OneDriveBackend

onedrive://some_dir

Par2 Wrapper Backend

par2+scheme://[user[:password]@]host[:port]/[/]path

See also A NOTE ON PAR2 WRAPPER BACKEND

Rclone Backend

rclone://remote:/some_dir

See also A NOTE ON RCLONE BACKEND

Rsync via daemon

rsync://user[:password]@host.com[:port]::[/]module/some_dir
Rsync over ssh (only key auth)
rsync://user@host.com[:port]/[relative /absolute]_path

S3 storage (Amazon)

s3://host[:port]/bucket_name[/prefix]
s3+http://bucket_name[/prefix]
defaults

Generate Google Gs_access_key_id Account

to the legacy boto backend based on boto v2 (last update 2018/07)
alternatively try the newer boto3+s3://bucket_name[/prefix]

For detailssee A NOTE ON AMAZON S3 and see also A NOTE ON EUROPEAN S3 BUCKETS below.

SCP/SFTP access

scp://.. or
sftp://user[:password]@other.host[:port]/[relative /absolute]_path

defaultsare paramiko+scp:// and paramiko+sftp://
alternatively try pexpect+scp://, pexpect+sftp://, lftp+sftp://
See also --ssh-askpass, --ssh-options and A NOTE ON SSH BACKENDS.

Swift (Openstack)

swift://container_name[/prefix]

See also A NOTE ON SWIFT (OPENSTACK OBJECTSTORAGE) ACCESS

Public Cloud Archive (OVH)

pca://container_name[/prefix]

See also A NOTE ON PCA ACCESS

Tahoe-LAFS

tahoe://alias/directory

WebDAV

webdav[s]://user[:password]@other.host[:port]/some_dir

alternatively trylftp+webdav[s]://

pydrive

pydrive://<service account’ email address>@developer.gserviceaccount.com/some_dir

See also A NOTE ON PYDRIVE BACKEND below.

multi

multi:///path/to/config.json

See also A NOTE ON MULTI BACKEND below.

MediaFire

mf://user[:password]@mediafire.com/some_dir

See also A NOTE ON MEDIAFIRE BACKEND below.

Time Formats

duplicity usestime strings in two places. Firstly, many of the files duplicity createswill have the time in their filenames in the w3 datetime format as describedin a w3 note at http://www.w3.org/TR/NOTE-datetime. Basically they look like'2001-07-15T04:09:38-07:00', which means what it looks like. The '-07:00' sectionmeans the time zone is 7 hours behind UTC.

Secondly, the -t, --time, and --restore-timeoptions take a time string, which can be given in any of several formats:

1.
the string 'now' (refers to the current time)
2.
a sequences of digits,like '123456890' (indicating the time in seconds after the epoch)
3.
A stringlike '2002-01-25T07:00:00+02:00' in datetime format
4.
An interval, which isa number followed by one of the characters s, m, h, D, W, M, or Y (indicatingseconds, minutes, hours, days, weeks, months, or years respectively), ora series of such pairs. In this case the string refers to the time thatpreceded the current time by the length of the interval. For instance,'1h78m' indicates the time that was one hour and 78 minutes ago. The calendarhere is unsophisticated: a month is always 30 days, a year is always 365days, and a day is always 86400 seconds.
5.
A date format of the form YYYY/MM/DD,YYYY-MM-DD, MM/DD/YYYY, or MM-DD-YYYY, which indicates midnight on the dayin question, relative to the current time zone settings. For instance,'2002/3/5', '03-05-2002', and '2002-3-05' all mean March 5th, 2002.

File Selection

Whenduplicity is run, it searches through the given source directory and backsup all the files specified by the file selection system. The file selectionsystem comprises a number of file selection conditions, which are set usingone of the following command line options:
--exclude
--exclude-device-files
--exclude-if-present
--exclude-filelist
--exclude-regexp
--include
--include-filelist
--include-regexp
Each file selection condition either matches or doesn’t matcha given file. A given file is excluded by the file selection system exactlywhen the first matching file selection condition specifies that the filebe excluded; otherwise the file is included.

For instance,

duplicity --include/usr --exclude /usr /usr scp://user@host/backup
is exactly the same as
duplicity/usr scp://user@host/backup
because the include and exclude directivesmatch exactly the same files, and the --include comes first, giving it precedence. Similarly,
duplicity --include /usr/local/bin --exclude /usr/local /usr scp://user@host/backup
would backup the /usr/local/bin directory (and its contents), but not /usr/local/doc.

The include, exclude, include-filelist, and exclude-filelist options acceptsome extended shell globbing patterns. These patterns can contain *, **,?, and [...] (character ranges). As in a normal shell, * can be expanded toany string of characters not containing '/', ? expands to any characterexcept '/', and [...] expands to a single character of those characters specified(ranges are acceptable). The new special pattern, **, expands to any stringof characters whether or not it contains '/'. Furthermore, if the patternstarts with 'ignorecase:' (case insensitive), then this prefix will beremoved and any character in the string can be replaced with an upper- orlowercase version of itself.

Remember that you may need to quote thesecharacters when typing them into a shell, so the shell does not interpretthe globbing patterns before duplicity sees them.

The --exclude pattern optionmatches a file if:

1.pattern can be expanded into the file’s filename, or
2. the file is inside a directory matched by the option.

Conversely, the--include pattern matches a file if:

1.pattern can be expanded into thefile’s filename, or
2. the file is inside a directory matched by the option, or
3. the file is a directory which contains a file matched by the option.

Forexample,

--exclude /usr/local

matches e.g. /usr/local, /usr/local/lib, and/usr/local/lib/netscape. It is the same as --exclude /usr/local --exclude ’/usr/local/**’.

On the other hand

--include /usr/local

specifies that /usr, /usr/local,/usr/local/lib, and /usr/local/lib/netscape (but not /usr/doc) all be backedup. Thus you don’t have to worry about including parent directories to makesure that included subdirectories have somewhere to go.

Finally,

--includeignorecase:’/usr/[a-z0-9]foo/*/**.py’

would match a file like /usR/5fOO/hello/there/world.py. If it did match anything, it would also match /usr. If there is no existingfile that the given pattern can be expanded into, the option will not match/usr alone.

The --include-filelist, and --exclude-filelist, options also introducefile selection conditions. They direct duplicity to read in a text file(either ASCII or UTF-8), each line of which is a file specification, andto include or exclude the matching files. Lines are separated by newlinesor nulls, depending on whether the --null-separator switch was given. Eachline in the filelist will be interpreted as a globbing pattern the way--include and --exclude options are interpreted, except that lines startingwith '+ ' are interpreted as include directives, even if found in a filelistreferenced by --exclude-filelist. Similarly, lines starting with '- ' excludefiles even if they are found within an include filelist.

For example, iffile 'list.txt' contains the lines:

/usr/local
- /usr/local/doc
/usr/local/bin
+ /var
- /var

then --include-filelist list.txt would include /usr, /usr/local, and/usr/local/bin. It would exclude /usr/local/doc, /usr/local/doc/python,etc. It would also include /usr/local/man, as this is included within /user/local. Finally, it is undefined what happens with /var. A single file list shouldnot contain conflicting file specifications.

Each line in the filelistwill also be interpreted as a globbing pattern the way --include and --excludeoptions are interpreted. For instance, if the file 'list.txt' contains thelines:

dir/foo
+ dir/bar
- **

Then --include-filelist list.txt would be exactly the same as specifying--include dir/foo --include dir/bar --exclude ** on the command line.

Finally,the --include-regexp and --exclude-regexp options allow files to be includedand excluded if their filenames match a python regular expression. Regularexpression syntax is too complicated to explain here, but is covered inPython’s library reference. Unlike the --include and --exclude options, theregular expression options don’t match files containing or contained inmatched files. So for instance

--include ’[0-9]{7}(?!foo)’
matches any fileswhose full pathnames contain 7 consecutive digits which aren’t followedby ’foo’. However, it wouldn’t match /home even if /home/ben/1234567 existed.

a Note on Amazon Drive

1.
The API Keys used for Amazon Drive have not beengranted production limits. Amazon do not say what the development limitsare and are not replying to to requests to whitelist duplicity. A relatedtool, acd_cli, was demoted to development limits, but continues to workfine except for cases of excessive usage. If you experience throttling andsimilar issues with Amazon Drive using this backend, please report themto the mailing list.
2.
If you previously used the acd+acdcli backend, itis strongly recommended to update to the ad backend instead, since it interfacesdirectly with Amazon Drive. You will need to setup the OAuth once again,but can otherwise keep your backups and config.

a Note on Amazon S3

Whenbacking up to Amazon S3, two backend implementations are available. Theschemes 's3' and 's3+http' are implemented using the older boto library,which has been deprecated and is no longer supported. The 'boto3+s3' schemeis based on the newer boto3 library. This new backend fixes several knownlimitations in the older backend, which have crept in as Amazon S3 hasevolved while the deprecated boto library has not kept up.

The boto3 backendshould behave largely the same as the older S3 backend, but there are somedifferences in the handling of some of the 'S3' options. Additionally, thereare some compatibility differences with the new backed. Because of thesereasons, both backends have been retained for the time being. See the documentationfor specific options regarding differences related to each backend.

Theboto3 backend does not support bucket creation. This is a deliberate choicewhich simplifies the code, and side steps problems related to region selection. Additionally, it is probably not a good practice to give your backup rolebucket creation rights. In most cases the role used for backups should probablybe limited to specific buckets.

The boto3 backend only supports newer domainstyle buckets. Amazon is moving to deprecate the older bucket style, somigration is recommended. Use the older s3 backend for compatibility withbackups stored in buckets using older naming conventions.

The boto3 backenddoes not currently support initiating restores from the glacier storageclass. When restoring a backup from glacier or glacier deep archive, thebackup files must first be restored out of band. There are multiple optionswhen restoring backups from cold storage, which vary in both cost and speed.See Amazon’s documentation for details.

a Note on Azure Access

The Azurebackend requires the Microsoft Azure Storage SDK for Python to be installedon the system. See REQUIREMENTS above.

It uses environment variables forauthentification: AZURE_ACCOUNT_NAME (required), AZURE_ACCOUNT_KEY (optional),AZURE_SHARED_ACCESS_SIGNATURE (optional). One of AZURE_ACCOUNT_KEY or AZURE_SHARED_ACCESS_SIGNATUREis required.

A container name must be a valid DNS name, conforming to thefollowing naming rules:

1.
Container names must start with a letter or number,and can contain only letters, numbers, and the dash (-) character.
2.
Everydash (-) character must be immediately preceded and followed by a letteror number; consecutive dashes are not permitted in container names.
3.
Allletters in a container name must be lowercase.
4.
Container names must befrom 3 through 63 characters long.

a Note on Cloud Files Access

Pyrax isRackspace’s next-generation Cloud management API, including Cloud Files access. The cfpyrax backend requires the pyrax library to be installed on thesystem. See REQUIREMENTS above.

Cloudfiles is Rackspace’s now deprecatedimplementation of OpenStack Object Storage protocol. Users wishing to useDuplicity with Rackspace Cloud Files should migrate to the new Pyrax pluginto ensure support.

The backend requires python-cloudfiles to be installedon the system. See REQUIREMENTS above.

It uses three environment variablesfor authentification: CLOUDFILES_USERNAME (required), CLOUDFILES_APIKEY(required), CLOUDFILES_AUTHURL (optional)

If CLOUDFILES_AUTHURL is unspecifiedit will default to the value provided by python-cloudfiles, which pointsto rackspace, hence this value must be set in order to use other cloudfiles providers.

a Note on Dropbox Access

1.
First of all Dropbox backendrequires valid authentication token. It should be passed via DPBX_ACCESS_TOKENenvironment variable.
To obtain it please create ’Dropbox API’ application at: https://www.dropbox.com/developers/apps/create
Then visit app settings and just use ’Generated access token’ under OAuth2section.
Alternatively you can let duplicity generate access token itself. In suchcase temporary export DPBX_APP_KEY ','DPBX_APP_SECRET using values fromapp settings page and run duplicity interactively.
It will print the URL that you need to open in the browser to obtain OAuth2token for the application. Just follow on-screen instructions and then putgenerated token to DPBX_ACCESS_TOKEN variable. Once done, feel free to unsetDPBX_APP_KEY 'and'DPBX_APP_SECRET
2.
'some_dir' must already exist in theDropbox folder. Depending on access token kind it may be:
Full Dropbox:path is absolute and starts from ’Dropbox’ root folder.
App Folder: path is related to application folder. Dropbox client will showit in ~/Dropbox/Apps/<app-name>
3.
When using Dropbox for storage, be awarethat all files, including the ones in the Apps folder, will be synced toall connected computers. You may prefer to use a separate Dropbox accountspecially for the backups, and not connect any computers to that account.

Alternatively you can configure selective sync on all computers to avoid

syncing of backup files

a Note on European S3 Buckets

Amazon S3 providesthe ability to choose the location of a bucket upon its creation. The purposeis to enable the user to choose a location which is better located networktopologically relative to the user, because it may allow for faster datatransfers.

duplicity will create a new bucket the first time a bucket accessis attempted. At this point, the bucket will be created in Europe if --s3-european-bucketswas given. For reasons having to do with how the Amazon S3 service works,this also requires the use of the --s3-use-new-style option. This option turnson subdomain based bucket addressing in S3. The details are beyond the scopeof this man page, but it is important to know that your bucket must notcontain upper case letters or any other characters that are not valid partsof a hostname. Consequently, for reasons of backwards compatibility, useof subdomain based bucket addressing is not enabled by default.

Note thatyou will need to use --s3-use-new-style for all operations on European buckets;not just upon initial creation.

You only need to use --s3-european-buckets uponinitial creation, but you may may use it at all times for consistency.

Furthernote that when creating a new European bucket, it can take a while beforethe bucket is fully accessible. At the time of this writing it is unclearto what extent this is an expected feature of Amazon S3, but in practiceyou may experience timeouts, socket errors or HTTP errors when trying toupload files to your newly created bucket. Give it a few minutes and thebucket should function normally.

a Note on Filename Prefixes

Filename prefixescan be used in multi backend with mirror mode to define affinity rules.They can also be used in conjunction with S3 lifecycle rules to transitionarchive files to Glacier, while keeping metadata (signature and manifestfiles) on S3.

Duplicity does not require access to archive files exceptwhen restoring from backup.

a Note on Google Cloud Storage

Support for GoogleCloud Storage relies on its Interoperable Access, which must be enabledfor your account. Once enabled, you can generate Interoperable StorageAccess Keys and pass them to duplicity via the GS_ACCESS_KEY_ID and GS_SECRET_ACCESS_KEYenvironment variables. Alternatively, you can run gsutil config -a to havethe Google Cloud Storage utility populate the ~/.boto configuration file.

Enable Interoperable Access: https://code.google.com/apis/console#:storage
Create Access Keys: https://code.google.com/apis/console#:storage:legacy

a Note on Hubic

The hubic backend requires the pyrax library to be installedon the system. See REQUIREMENTS above. You will need to set your credentialsfor hubiC in a file called ~/.hubic_credentials, following this pattern:
[hubic]
email = your_email
password = your_password
client_id = api_client_id
client_secret = api_secret_key
redirect_uri = http://localhost/

a Note on Imap

An IMAP account can beused as a target for the upload. The userid may be specified and the passwordwill be requested.

The from_address_prefix may be specified (and probablyshould be). The text will be used as the 'From' address in the IMAP server. Then on a restore (or list) command the from_address_prefix will distinguishbetween different backups.

a Note on Multi Backend

The multi backend allowsduplicity to combine the storage available in more than one backend store(e.g., you can store across a google drive account and a onedrive accountto get effectively the combined storage available in both). The URL pathspecifies a JSON formated config file containing a list of the backendsit will use. The URL may also specify 'query' parameters to configure overallbehavior. Each element of the list must have a 'url' element, and may alsocontain an optional 'description' and an optional 'env' list of environmentvariables used to configure that backend.

Query Parameters

Query parameterscome after the file URL in standard HTTP format for example:

Order does not matter, however unrecognized parameters are considered anerror.
mode=stripe
This mode (the default) performs round-robin access tothe list of backends. In this mode, all backends must be reliable as a lossof one means a loss of one of the archive files.
mode=mirror
This mode accessesbackends as a RAID1-store, storing every file in every backend and readingfiles from the first-successful backend. A loss of any backend should resultin no failure. Note that backends added later will only get new files andmay require a manual sync with one of the other operating ones.
onfail=continue
This setting (the default) continues all write operations in as best-effort.Any failure results in the next backend tried. Failure is reported onlywhen all backends fail a given operation with the error result from thelast failure.
onfail=abort
This setting considers any backend write failureas a terminating condition and reports the error. Data reading and listingoperations are independent of this and will try with the next backend onfailure.

JSON File Example


a Note on Par2 Wrapper Backend

Par2 Wrapper Backend can be used in combinationwith all other backends to create recovery files. Just add par2+ beforea regular scheme (e.g. par2+ftp://user@host/dir or par2+s3+http://bucket_name). This will create par2 recovery files for each archive and upload themall to the wrapped backend.

Before restoring, archives will be verified.Corrupt archives will be repaired on the fly if there are enough recoveryblocks available.

Use --par2-redundancy percent to adjust the size (and redundancy)of recovery files in percent.

a Note on Pydrive Backend

The pydrive backendrequires Python PyDrive package to be installed on the system. See REQUIREMENTSabove.

There are two ways to use PyDrive: with a regular account or witha 'service account'. With a service account, a separate account is created,that is only accessible with Google APIs and not a web login. With a regularaccount, you can store backups in your normal Google Drive.

To use a serviceaccount, go to the Google developers console at https://console.developers.google.com.Create a project, and make sure Drive API is enabled for the project. Under'APIs and auth', click Create New Client ID, then select Service Accountwith P12 key.

Download the .p12 key file of the account and convert it tothe .pem format:
openssl pkcs12 -in XXX.p12 -nodes -nocerts > pydriveprivatekey.pem

The contentof .pem file should be passed to GOOGLE_DRIVE_ACCOUNT_KEY environment variablefor authentification.

The email address of the account will be used aspart of URL. See URL FORMAT above.

The alternative is to use a regular account.To do this, start as above, but when creating a new Client ID, select 'Installedapplication' of type 'Other'. Create a file with the following content,and pass its filename in the GOOGLE_DRIVE_SETTINGS environment variable:


In this scenario, the username and host parts of the URL play no role;only the path matters. During the first run, you will be prompted to visitan URL in your browser to grant access to your drive. Once granted, youwill receive a verification code to paste back into Duplicity. The credentialsare then cached in the file references above for future use.

a Note onRclone Backend

Rclone is a powerful command line program to sync files anddirectories to and from various cloud storage providers.

Once you have configuredan rclone remote via

rclone config
and successfully set up a remote (e.g.gdrive for Google Drive), assuming you can list your remote files with
rclone ls gdrive:mydocuments
you can start your backup with
duplicity /mydocumentsrclone://gdrive:/mydocuments
Please note the slash after the second colon.Some storage provider will work with or without slash after colon, butsome other will not. Since duplicity will complain about malformed URL ifa slash is not present, always put it after the colon, and the backendwill handle it for you.

a Note on Ssh Backends

The ssh backends supportsftp and scp/ssh transport protocols. This is a known user-confusing issueas these are fundamentally different. If you plan to access your backendvia one of those please inform yourself about the requirements for a serverto support sftp or scp/ssh access. To make it even more confusing the usercan choose between several ssh backends via a scheme prefix: paramiko+(default), pexpect+, lftp+... .
paramiko & pexpect support --use-scp, --ssh-askpass and --ssh-options. Only the pexpectbackend allows to define --scp-command and --sftp-command.

SSH paramiko backend(default) is a complete reimplementation of ssh protocols natively in python.Advantages are speed and maintainability. Minor disadvantage is that extrapackages are needed as listed in REQUIREMENTS above. In sftp (default) modeall operations are done via the according sftp commands. In scp mode ( --use-scp) though scp access is used for put/get operations but listing is donevia ssh remote shell.

SSH pexpect backend is the legacy ssh backend usingthe command line ssh binaries via pexpect. Older versions used scp for getand put operations and sftp for list and delete operations. The currentversion uses sftp for all four supported operations, unless the --use-scpoption is used to revert to old behavior.

SSH lftp backend is simply therebecause lftp can interact with the ssh cmd line binaries. It is meant asa last resort in case the above options fail for some reason.

Why use sftpinstead of scp? The change to sftp was made in order to allow the remotesystem to chroot the backup, thus providing better security and becauseit does not suffer from shell quoting issues like scp. Scp also does notsupport any kind of file listing, so sftp or ssh access will always beneeded in addition for this backend mode to work properly. Sftp does nothave these limitations but needs an sftp service running on the backendserver, which is sometimes not an option.

a Note on Ssl Certificate Verification

Certificateverification as implemented right now [02.2016] only in the webdav and lftpbackends. older pythons 2.7.8- and older lftp binaries need a file based databaseof certification authority certificates (cacert file).
Newer python 2.7.9+ and recent lftp versions however support the system defaultcertificates (usually in /etc/ssl/certs) and also giving an alternativeca cert folder via --ssl-cacert-path.

The cacert file has to be a PEM formattedtext file as currently provided by the CURL project. See

http://curl.haxx.se/docs/caextract.html
After creating/retrieving a valid cacert file you should copy it to either
~/.duplicity/cacert.pem
~/duplicity_cacert.pem
/etc/duplicity/cacert.pem
Duplicity searches it there in the same orderand will fail if it can’t find it. You can however specify the option --ssl-cacert-file<file> to point duplicity to a copy in a different location.

Finally thereis the --ssl-no-check-certificate option to disable certificate verificationalltogether, in case some ssl library is missing or verification is notwanted. Use it with care, as even with self signed servers manually providingthe private ca certificate is definitely the safer option.

a Note on Swift(openstack Object Storage) Access

Swift is the OpenStack Object Storageservice.
The backend requires python-switclient to be installed on the system. python-keystoneclientis also needed to use OpenStack’s Keystone Identity service. See REQUIREMENTSabove.

It uses following environment variables for authentification: SWIFT_USERNAME(required), SWIFT_PASSWORD (required), SWIFT_AUTHURL (required), SWIFT_USERID(required, only for IBM Bluemix ObjectStorage), SWIFT_TENANTID (required,only for IBM Bluemix ObjectStorage), SWIFT_REGIONNAME (required, only forIBM Bluemix ObjectStorage), SWIFT_TENANTNAME (optional, the tenant canbe included in the username)

If the user was previously authenticated,the following environment variables can be used instead: SWIFT_PREAUTHURL(required), SWIFT_PREAUTHTOKEN (required)

If SWIFT_AUTHVERSION is unspecified,it will default to version 1.

a Note on Pca Access

PCA is a long-term dataarchival solution by OVH. It runs a slightly modified version of OpenstackSwift introducing latency in the data retrieval process. It is a good pickfor a multi backend configuration where receiving volumes while an otherbackend is used to store manifests and signatures.


The backend requires python-switclient to be installed on the system. python-keystoneclientis also needed to interact with OpenStack’s Keystone Identity service. SeeREQUIREMENTS above.

It uses following environment variables for authentification:PCA_USERNAME (required), PCA_PASSWORD (required), PCA_AUTHURL (required),PCA_USERID (optional), PCA_TENANTID (optional, but either the tenant nameor tenant id must be supplied) PCA_REGIONNAME (optional), PCA_TENANTNAME(optional, but either the tenant name or tenant id must be supplied)

Ifthe user was previously authenticated, the following environment variablescan be used instead: PCA_PREAUTHURL (required), PCA_PREAUTHTOKEN (required)

If PCA_AUTHVERSION is unspecified, it will default to version 2.

a Noteon Mediafire Backend

This backend requires mediafire python library to beinstalled on the system. See REQUIREMENTS.

Use URL escaping for username(and password, if provided via command line):

mf://duplicity%40example.com@mediafire.com/some_folder

The destination folder will be created for you if it does not exist.

aNote on Symmetric Encryption and Signing

Signing and symmetrically encryptat the same time with the gpg binary on the command line, as used withinduplicity, is a specifically challenging issue. Tests showed that the followingcombinations proved working.

1. Setup gpg-agent properly. Use the option --use-agentand enter both passphrases (symmetric and sign key) in the gpg-agent’s dialog.

2. Use a PASSPHRASE for symmetric encryption of your choice but the signingkey has an empty passphrase.

3. The used PASSPHRASE for symmetric encryptionand the passphrase of the signing key are identical.

Known Issues / Bugs

Hardlinks currently unsupported (they will be treated as non-linked regularfiles).

Bad signatures will be treated as empty instead of logging appropriateerror message.

Operation and Data Formats

This section describes duplicity’sbasic operation and the format of its data files. It should not necessaryto read this section to use duplicity.

The files used by duplicity to storebackup data are tarfiles in GNU tar format. They can be produced independentlyby rdiffdir(1). For incremental backups, new files are saved normally inthe tarfile. But when a file changes, instead of storing a complete copyof the file, only a diff is stored, as generated by rdiff(1). If a fileis deleted, a 0 length file is stored in the tar. It is possible to restorea duplicity archive 'manually' by using tar and then cp, rdiff, and rmas necessary. These duplicity archives have the extension difftar.

Bothfull and incremental backup sets have the same format. In effect, a fullbackup set is an incremental one generated from an empty signature (seebelow). The files in full backup sets will start with duplicity-full whilethe incremental sets start with duplicity-inc. When restoring, duplicityapplies patches in order, so deleting, for instance, a full backup setmay make related incremental backup sets unusable.

In order to determinewhich files have been deleted, and to calculate diffs for changed files,duplicity needs to process information about previous sessions. It storesthis information in the form of tarfiles where each entry’s data containsthe signature (as produced by rdiff) of the file instead of the file’s contents. These signature sets have the extension sigtar.

Signature files are notrequired to restore a backup set, but without an up-to-date signature, duplicitycannot append an incremental backup to an existing archive.

To save bandwidth,duplicity generates full signature sets and incremental signature sets. A full signature set is generated for each full backup, and an incrementalone for each incremental backup. These start with duplicity-full-signaturesand duplicity-new-signatures respectively. These signatures will be storedboth locally and remotely. The remote signatures will be encrypted if encryptionis enabled. The local signatures will not be encrypted and stored in thearchive dir (see --archive-dir ).

Requirements

Duplicity requires a POSIX-likeoperating system with a python interpreter version 2.6+ installed. It isbest used under GNU/Linux.

Some backends also require additional components(probably available as packages for your specific platform):

Amazon Drivebackend
python-requests - http://python-requests.org
python-requests-oauthlib - https://github.com/requests/requests-oauthlib
azurebackend (Azure Blob Storage Service)
Microsoft Azure Storage SDK for Python- https://pypi.python.org/pypi/azure-storage/
boto backend (S3 Amazon Web Services,Google Cloud Storage)
boto version 2.0+ - http://github.com/boto/boto
cfpyraxbackend (Rackspace Cloud) and hubic backend (hubic.com)
Rackspace CloudFilesPyrax API - http://docs.rackspace.com/sdks/guide/content/python.html
dpbx backend(Dropbox)
Dropbox Python SDK - https://www.dropbox.com/developers/reference/sdk
gdocs gdata backend (legacy Google Docs backend)
Google Data APIs PythonClient Library - http://code.google.com/p/gdata-python-client/
gdocs pydrivebackend(default)
see pydrive backend
gio backend (Gnome VFS API)
PyGObject- http://live.gnome.org/PyGObject
D-Bus (dbus)- http://www.freedesktop.org/wiki/Software/dbus
lftp backend (neededfor ftp, ftps, fish [over ssh] - also supports sftp, webdav[s])
LFTP Client- http://lftp.yar.ru/
mega backend (mega.co.nz)
megatools client - https://github.com/megous/megatools
multi backend
Multi -- store to more than one backend
(also see A NOTE ON MULTI BACKEND ) below.
ncftp backend (ftp, select viancftp+ftp://)
NcFTP - http://www.ncftp.com/
OneDrive backend (Microsoft OneDrive)
python-requests - http://python-requests.org
python-requests-oauthlib - https://github.com/requests/requests-oauthlib
Par2Wrapper Backend
par2cmdline - http://parchive.sourceforge.net/
pydrive backend
PyDrive -- a wrapper library of google-api-python-client - https://pypi.python.org/pypi/PyDrive
(also see A NOTE ON PYDRIVE BACKEND ) below.
rclone backend
rclone - https://rclone.org/
rsync backend
rsync client binary - http://rsync.samba.org/
ssh paramiko backend(default)
paramiko (SSH2 for python) - http://pypi.python.org/pypi/paramiko(downloads); http://github.com/paramiko/paramiko (project page)
pycrypto (Python Cryptography Toolkit) - http://www.dlitz.net/software/pycrypto/
ssh pexpect backend
sftp/scp client binaries OpenSSH - http://www.openssh.com/
Python pexpect module - http://pexpect.sourceforge.net/pexpect.html
swift backend(OpenStack Object Storage)
Python swiftclient module - https://github.com/openstack/python-swiftclient/
Python keystoneclient module - https://github.com/openstack/python-keystoneclient/
webdav backend
certificate authority database file for ssl certificateverification of HTTPS connections - http://curl.haxx.se/docs/caextract.html
(also see A NOTE ON SSL CERTIFICATE VERIFICATION).
Python kerberos module for kerberos authentication - https://github.com/02strich/pykerberos
MediaFire backend
MediaFire Python Open SDK - https://pypi.python.org/pypi/mediafire/

Author

Original Author - Ben Escoto <bescoto@stanford.edu>
Current Maintainer- Kenneth Loafman <kenneth@loafman.com>
Continuous Contributors
Edgar Soldin,Mike Terry

Most backends were contributed individually. Information abouttheir authorship may be found in the according file’s header.

Also we’d liketo thank everybody posting issues to the mailing list or on launchpad,sending in patches or contributing otherwise. Duplicity wouldn’t be as stableand useful if it weren’t for you.

A special thanks goes to rsync.net, a CloudStorage provider with explicit support for duplicity, for several monetarydonations and for providing a special 'duplicity friends' rate for theiroffsite backup service. Email info@rsync.net for details.

See Also

rdiffdir(1),python(1), rdiff(1), rdiff-backup(1).