encrb incrementally backs up local directories to a remote machine as encrypted files using encfs --reverse and rsync.
$ ./encrb $HOME/documents $HOME/projects some.server.eu:/home/user/backups/
First run will generate a random password, save it to KEYFILE and prompt for encfs settings (pressing enter picks the defaults). Further runs will not require any user input.
$ ./encrb --help
Usage: encrb [options] dir-to-back-up1... remotepath
Options:
-h, --help show this help message and exit
-k KEYFILE, --keyfile=KEYFILE
encfs keyfile to use [~/.encrb/encfs.xml]
-p PASSFILE, --passfile=PASSFILE
file containing encfs keyfile password [~/.encrb/
password]
-b BWLIMIT, --bwlimit=BWLIMIT
Bandwidth limit (KiB/s) for rsync [0]
-P, --port=PORT Port used by rsync [22]
-v, --verify Instead of backing up, verify that the backups
match sources
--backup-keyfile Backup Encfs keyfile on remote machine -
NOT RECOMMENDED
--no-env-check Disable environment tool version checking
-i INCLUDEFILE, --include-from=INCLUDEFILE
Read rsync include patterns from file
-e EXCLUDEFILE, --exclude-from=EXCLUDEFILE
Read rsync exclude patterns from file
--no-delete Do not delete existing remote files that are no
longer present locally or have been excluded
-P --Port Port used by rsync (22 default)
-t --tmpdir Define a custom tmp dir where the reverse encfs will be mounted, if not set, the system default temp dir will be used.
Remember to back up the keyfile and the password! If you lose them, you will lose access to the encrypted data. Naturally you should not back up the keyfile to the same place where you put the actual backups. And it is a very good idea to have multiple backups of the keyfile (and password). For maximum security, keep the data, the keyfile and the password at different locations. If remote environment is semi-trusted (e.g. your home server) you could use "--backup-keyfile" parameter to backup keyfile remotely.
To exclude local files from being remotely backed up you can use "--exclude-from" option. All entries must be relative to your backup directory. For example, if you call encrb with "--exlcude-from ~/.encrb/ exclude.txt", and exclude.txt would have the following content:
# Complete directories
Downloads/
# Contents of the directory, but not itself
Pictures/*
# Large files
vm_disk.img
it would not backup "Downloads/" directory, the content of "Pictures/*" and "vm_disk.img" file remotely, relative to your backup dir. So if you are backing up "/home/user/" path, rsync would exclude "/home/user/Downloads/" directory and "home/user/" vm_disk.img" file completely, but would create an empty "Pictures" directory on the remote machine. Note: empty and lines starting with "#" are ignored.
"--no-delete" option can protect from accidental local file deletion. A good idea is to run encrb with this option on hourly basis and only allow deletion (i.e. no option provided) on weekly basis thus still reclaiming space on the remote machine but having an option for fast file recovery on accidental file removal.
You most likely want to run encrb from crontab. I recommend using flock or something similar to make sure no multiple instances are running, like this:
30 0 * * * flock -n /tmp/encrb.lockfile /path/to/encrb --bwlimit 100 $HOME/docs $HOME/projects some.server.eu:/home/user/backups/
To recover files from encrypted backup use:
# ENCFS6_CONFIG=/path/to/encfs.xml encfs /path/to/ecrypted/backup /path/to/mountpoint
- encfs 1.7.3 or later
- python2
- rsync
- sshfs
encrb is licensed under GPLv3, see http://www.gnu.org/licenses/gpl-3.0.html