How to Create Encrypted and Bandwidth-efficient Backups Using ‘Duplicity’ in Linux

Creating a backup with Duplicity

To start simple, let’s only backup the /var/log directory, with the exception of /var/log/anaconda and /var/log/sa.

Since this is our first backup, it will be a full one. Subsequent runs will create incremental backups (unless we add the full option with no dashes right next to duplicity in the command below):

PASSPHRASE="YourPassphraseHere" duplicity --encrypt-key YourPublicKeyIdHere --exclude /var/log/anaconda --exclude /var/log/sa /var/log scp://[email protected]:XXXXX//backups/centos7

Make sure you don’t miss the double slash in the above command! They are used to indicate an absolute path to a directory named /backups/centos7 in the backup box, and is where the backup files will be stored.

Replace YourPassphraseHere, YourPublicKeyIdHere and RemoteServer with the passphrase you entered earlier, the GPG public key ID, and with the IP or hostname of the backup server, respectively.

Your output should be similar to the following image:

Create /var Partition Backup

Create Backup using Duplicity

The image above indicates that a total of 86.3 MB was backed up into a 3.22 MB in the destination. Let’s switch to the backup server to check on our newly created backup:

Confirm Backup File

Confirm Backup File

A second run of the same command yields a much smaller backup size and time:

Compress Backup

Compress Backup

Restoring backups using Duplicity

To successfully restore a file, a directory with its contents, or the whole backup, the destination must not exist (duplicity will not overwrite an existing file or directory). To clarify, let’s delete the cron log in the CentOS box:

# rm -f /var/log/cron
Delete Cron Logs

Delete Cron Logs

The syntax to restore a single file from the remote server is:

# PASSPHRASE="YourPassphraseHere" duplicity --file-to-restore filename sftp://[email protected]//backups/centos7 /where/to/restore/filename


  1. filename is the file to be extracted, with a relative path to the directory that was backed up
  2. /where/to/restore is the directory in the local system where we want to restore the file to.

In our case, to restore the cron main log from the remote backup we need to run:

# PASSPHRASE="YourPassphraseHere" duplicity --file-to-restore cron sftp://[email protected]:XXXXX//backups/centos7 /var/log/cron

The cron log should be restored to the desired destination.

Likewise, feel free to delete a directory from /var/log and restore it using the backup:

# rm -rf /var/log/mail
# PASSPHRASE="YourPassphraseHere" duplicity --file-to-restore mail sftp://[email protected]:XXXXX//backups/centos7 /var/log/mail

In this example, the mail directory should be restored to its original location with all its contents.

Other features of Duplicity

At any time you can display the list of archived files with the following command:

# duplicity list-current-files sftp://[email protected]:XXXXX//backups/centos7

Delete backups older than 6 months:

# duplicity remove-older-than 6M sftp://[email protected]:XXXXX//backups/centos7

Restore myfile inside directory gacanepa as it was 2 days and 12 hours ago:

# duplicity -t 2D12h --file-to-restore gacanepa/myfile sftp://[email protected]:XXXXX//remotedir/backups /home/gacanepa/myfile

In the last command, we can see an example of the usage of the time interval (as specified by -t): a series of pairs where each one consists of a number followed by one of the characters s, m, h, D, W, M, or Y (indicating seconds, minutes, hourse, days, weeks, months, or years respectively).


In this article we have explained how to use Duplicity, a backup utility that provides encryption for files and directories out of the box. I highly recommend you take a look at the duplicity project’s web site for further documentation and examples.

We’ve provided man page of duplicity in PDF format for your reading convenience, is also a complete reference guide.

Feel free to let us know if you have any questions or comments.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide
The Complete Linux System Administrator Bundle
Become an Ethical Hacker Bonus Bundle

You may also like...

4 Responses

  1. Ron HD says:

    Putting the passphrase on the command line is a bad idea for security, as it’s visible to all users in the same host, via the ps command. Better to set the environment variable first, then run the command. Better yet, put both in a shell script with permissions of 700.

  2. Jalal Hajigholamali says:

    Very useful tool
    Thanks a lot…

  3. gdaniels says:

    How would you compare duplicity to bacula? I have been struggling to get bacula runni g on my Ubuntu 14.04 server. After reading your post, I am willing to try to use duplicity to backup my CentOS 7 laptop to the server.

  4. Fox says:

    Would it be better to use dedicated backup user instead of root for SSH connection? Or is root needed for some reason?

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.