before you begin

Before you can start backing things up off-site in a secure fashion, you’ll need to get a few pieces of the puzzle in place. Namely, you’ll need software installed (duplicity), a GPG key (for encryption), and an Amazon S3 account setup (for storage), and then use a backup script that can be run automatically (for laziness’s sake!).

Getting an Amazon S3 account is easy to do: head over to http://aws.amazon.com/s3/ and sign up; grab your “Access Key ID” and “Secret Access Key” and you are ready to go. There is a lot you can do with S3 (and a lot of ways to access it), but for our purposes, this is pretty much all you need.

Lastly, I would recommend spending a little time reading about duplicity (see the man page) as well as GnuPG (man page). There is a lot to consider, and I just picked the options I thought would work best for me.

Install the Software: Duplicity

For this to work we need duplicity installed with all the correct dependencies. The easiest way to do this on your Mac is to simply use MacPorts, which has an up-to-date version in the repositories (see Installing MacPorts if you don’t have it installed already). If you already have MacPorts installed, all you should have to do is run the following from the Terminal:

• $ sudo port install duplicity py25-socket-ssl py25-boto

If you are using Ubuntu, you could simply run sudo aptitude install duplicity to install the program (it is in the repositories); however, if you want to make sure you are using the latest version (which may not be available there yet), you can try this:

• $ sudo apt-get build-dep duplicity
• $ sudo aptitude install python-boto ncftp
• $ wget http://savannah.nongnu.org/download/duplicity/duplicity-0.5.07.tar.gz
• $ tar xvzf duplicity-0.5.07.tar.gz
• $ cd duplicity-0.5.07/
• $ sudo python setup.py install

If you ever want to upgrade again, just download and untar the latest version and run the last setup line again.  It will install the newest version for you.

If everything has installed correctly, you can do a test run pretty easily on your local machine by backing up a folder to another local folder (first command) and then restoring it to a different folder (second command). If you look inside this /test/backup-location/ you’ll see what duplicity looks like:

• $ duplicity --no-encryption /test/folder/ file:///test/backup-location/
• $ duplicity --no-encryption file:///test/backup-location/ /test/restore-location/

Setting Up Encryption

For duplicity to really shine, it needs to have a gpg key to encrypt your files. If you don’t already have one, you can create it by running the following (read the documentation for more information):

• $ gpg --gen-key

I used all the defaults when setting up my key and chose my own passphrase. Unfortunately, in order to make this work without user input (as an automatic cron job), the passphrase is going to have to be stored somewhere on your computer locally, so, I wouldn’t use one of your usual passwords (something really long and unique would be better).  Also, if you already have a gpg key (or want to use one for other purposes), I would recommend making a different one for the Amazon S3 backups — because, in the end, your password has to be stored somewhere on your computer for it to work auto-magically.

Once you have your gpg key created you can check it out by running:

• $ gpg --list-keys

This shows your new key, which probably looks something like this:

pub   1024D/CA4ZA320 2008-11-15
uid                  Damon Timm (thornomad) email@example.com
sub   2048g/C1E64A4F 2008-11-15

Note the public key identifier “CA4FA320″ (yours will be different); we will need that to go in our script.

final step: using a backup script

So, everything is on your system and, hopefully, working.  Now, to run a backup takes a lot of typing (on the command line) and the easiest way to avoid this chore is to run a backup script.  A script can store your Amazon and GPG key information and make it so you don’t have to type anything ever again!

Backing things up is a very personal task, and everyone is going to want to do it a little differently. I created my own backup script which you are happy to check out — if you have any neat features you add to suggestions, I would love to hear them and incorporate them.

Good luck!

This is because, apparently, OpenSSL has a license that is incompatible with Debian’s GPL. Regardless: clear text is bad; encryption is good. And since Ubuntu doesn’t package netatalk with the appropriate encryption support, one must do it oneself.

Updated 05.08.09: Just tested this with Jaunty (09.04) and the package in the repositories works with no extra steps. If you are using an older version of Ubuntu, however, you will want to follow these instructions. Tested with Intrepid Ibex (8.10) as well as: 6.06, 7.04, 7.10, and 8.06.

about this guide

When I first found that Ubuntu’s netatalk package didn’t support encrypted authentication, I tried to compile netatalk from the source. I didn’t get very far. Throwing up my hands in frustration, I spent some more time on google and found some ideas at the Ubuntu Forums. Pulling it all together, with ideas and fixes from comments (below), this is what I came up with (which I think is a lot easier than building from source).

steps to follow

NOTE: If you have already installed netatalk you should remove it before proceeding with a sudo aptitude purge netatalk before you get going.

• sudo aptitude update
• mkdir -p ~/src/netatalk
• cd ~/src/netatalk
• sudo aptitude install cracklib2-dev libssl-dev
• apt-get source netatalk
• sudo apt-get build-dep netatalk
• cd netatalk-2.0.3
• sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -us -uc
• sudo debi
• echo "netatalk hold" | sudo dpkg --set-selections

The basic trend of this set of operations is to: create a directory where all the messy files can be stored, download necessary packages, get the netatalk source, compile the source with the ssl option, install the package, then tell Ubuntu never to update the package (because if it did, it would break).

Settings for the netatalk service can be found on your Ubuntu machine at /etc/netatalk/. There are a couple configuration files in there with instructions. Good luck.

configuration files

One of the first changes I make after installing netatalk is to disable some of the services that I don’t need running (and start those that I do). To do this, I edit: /etc/default/netatalk, changing the daemons that run so that it ends up looking like this (which allows netatlk to restart a lot quicker without the atalkd daemon — which is a holdover from pre-OS X times):

# Set which daemons to run (papd is dependent upon atalkd):
ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=no
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no

These are the settings I am using since I only need the afp file server — one thing to note, however, is that if you want to use the dbd databashe scheme rather than cdb, you need to set CNID_METAD_RUN to yes.  cdb is supposed to be faster, while dbd is supposed to be “corruption-proof”.  You can read it about in the docs.

After you’ve saved changes to this configuration file, run the following to restart netatalk:

• sudo /etc/init.d/netatalk restart

other tips and tricks

Here are a couple other thoughts and pointers that I’ve picked up over the years …

multiple afp servers running on the same network

I never thought much of it, but I did notice: if you have two different servers on your network running netatalk, you are unable to login to both of them at the same time. JET posted a solution to this and it works flawlessly. It has changed my life.

multiple network interfaces causing errors

Update (9/24/07 & 10/22/07): I’ve noticed a few people mentioning they get an error when compiling and/or starting netatalk (from ubuntuforums.org as well). Folks with more than one available network adapter (like eth1 and eth2, or virtual adapters created by vmware) seem to run an error when they compile and during runtime . During compile time you might have have an error that ends in:

• dpkg: error processing netatalk (--install):
• subprocess post-installation script returned error exit status 1
• Errors were encountered while processing:
• netatalk
• debi: debpkg -i failed

After this, you would probably get an error at runtime that looked like:

• Starting Netatalk services (this will take a while): nbp_rgstr: Connection timed out

Tim Pope wrote a suggested fix in the comments below that should eliminate the conflict between the multiple adapters. I only have one adapter myself (and don’t use vmware) so I haven’t had a chance to try it yet myself. Let me know if this works for you as well.