Backup happens from all sudomesh servers to every 24 hours. The backup system uses duplicity over rsync. The backups are incremental and encrypted.

Client setup

Clients have this script in /etc/cron.daily:



and the db_dump script looks like:


/usr/bin/mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases > /var/databases/all_mysql_databases.sql

and the secure_backup script looks like:


PASSPHRASE="the_duplicity_passphrase" /usr/bin/duplicity --exclude-other-filesystems / rsync://

WARNING: Make sure the secure_backup file is only readable by root!

Key-based login has been set up for logging into by first creating the user clientuser on with a long random password, and then using ssh-copy-id from the client.

The passphrase is long and randomly generated and is also stored in multiple secure offline locations.

Server setup

The server has a user called clientuser which is set up to allow key-based login with the client server's public ssh key.

The home directory of clientuser looks like:

root@backup:/home/clientuser# ls -l
total 12
drwxr-x--- 2 clientuser clientuser 12288 Oct 13 01:49 backup

The server has the cronjob /etc/cron.daily/backup_permissions:


# This script prevents backups from being deleted
# by the user that created them.

/bin/chmod 640 /home/clientuser/backup/*
/bin/chown root.clientuser /home/clientuser/backup/*