Rdiff-backup with ssh Configuration in Debian

What is rdiff-backup?

rdiff-backup backs up one directory to another, possibly over a network. The target directory ends up a copy of the source directory, but extra reverse diffs are stored in a special subdirectory of that target directory, so you can still recover files lost some time ago. The idea is to combine the best features of a mirror and an incremental backup. rdiff-backup also preserves subdirectories, hard links, dev files, permissions, uid/gid ownership, modification times, extended attributes, acls, and resource forks. Also, rdiff-backup can operate in a bandwidth efficient manner over a pipe, like rsync. Thus you can use rdiff-backup and ssh to securely back a hard drive up to a remote location, and only the differences will be transmitted. Finally, rdiff-backup is easy to use and settings have sensical defaults.

rdiff-backup Requirements

A POSIX operating system, like Linux or Mac OS X

Python v2.2 or later (see

librsync v0.9.7 or later

The python module pylibacl is optional, but necessary for access control list support.

The python module pyxattr is option, but necessary for extended attribute support.

Download rdiff-backup

rdiff-backup Documentation and Tutorials

rdiff-backup FAQ

First thing we need to make sure that you have installed ssh in your machine then you need to proceed further

Install rdiff-backup in Debian

You need to install your source machine and target machine

#apt-get install rdiff-backup

Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded.
Need to get 0B/148kB of archives.
After unpacking 569kB of additional disk space will be used.
Selecting previously deselected package rdiff-backup.
(Reading database ... 28792 files and directories currently installed.)
Unpacking rdiff-backup (from .../rdiff-backup_0.13.4-5_i386.deb) ...
Setting up rdiff-backup (0.13.4-5) ...

This will install rdiff-backup in you machine

Create The Public Keys On Target machine

On, we create a group and an unprivileged user called rdiff. This user rdiff will run the backups. We do not want root to run the backups for security reasons!

#groupadd -g 3500 rdiff

#useradd -u 3500 -s /bin/false -d /backup -m -c "rdiff" -g rdiff rdiff

The second command creates the user rdiff-backup with the home directory /backup (which is created automatically by this command if it does not exist already) who is not allowed to login on the shell (again for security reasons). If the group ID and user ID 3500 are already in use on your system, replace them by another (free) ID.

Then run

#su -m rdiff

With this command you become the user rdiff on the shell. All the following commands must be run as user rdiff

Create the keys:

#cd /backup

#ssh-keygen -t rsa
Generating public/private rsa key pair.

Enter file in which to save the key (/backup/.ssh/id_rsa):

Created directory '/backup/.ssh'.Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /backup/.ssh/id_rsa.Your public key has been saved in /backup/.ssh/

The key fingerprint is:88:18:4e:55:e9:27:8e:2a:44:4b:03:bd:9d:0f:fc:48 [email protected]

It is ok to save the key in /backup/.ssh/id_rsa so you can simply hit enter. It is important that you do not enter a passphrase otherwise the backup will not work without human interaction so again hit enter. In the end two files are created: /backup/.ssh/id_rsa and /backup/.ssh/

Next create the file /backup/.ssh/config with the following contents

host server1_backuphostname
user root
identityfile /backup/.ssh/id_rsa
compression yes
cipher blowfish
protocol 2

The value of host is what we use later on to start the backup. You can use any name the you like (e.g. server1_backup, this_is_the_machine_i_want_to_backup, etc.) (but it should not contain whitespace; underscores are ok).

Change the permissions of that file:

#chmod -R go-rwx /backup/.ssh

Now we copy over our public key to

#ssh-copy-id -i ~/.ssh/ [email protected]

This will look like this:

# ssh-copy-id -i ~/.ssh/ [email protected]

ssh-copy-id -i ~/.ssh/ [email protected] authenticity of host ' (' can't be established.
RSA key fingerprint is c7:19:55:7a:54:ce:93:c8:b6:f9:0e:e3:65:24:64:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
Now try logging into the machine, with "ssh '[email protected]'", and check in: .ssh/authorized_keysto make sure we haven't added extra keys that you weren't expecting.

Once again you have to type in the root password of What this command does is it copies the public key of the user rdiff-backup to the file /root/.ssh/authorized_keys on the remote server
[email protected]:~$

Log in as root on and have a look at /root/.ssh/authorized_keys. It should look similar to this

ssh-rsa AAAAB3Nza[...]W1go9M= [email protected]

Now prepend the following string to /root/.ssh/authorized_keys:

command="rdiff-backup --server --restrict-read-only /",from="",no-port-forwarding,no-X11-forwarding,no-pty

It must be in one line with the key, only seperated by a space

command="rdiff-backup --server --restrict-read-only /",from="",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3Nza[...]W1go9M= [email protected]

This will run the command rdiff-backup --server --restrict-read-only / when the user rdiff-backup fom connects to over SSH. --restrict-read-only / makes sure that rdiff-backup has only read access on It depends on your rdiff-backup version if this works. If this does not work for you you can leave out --restrict-read-only / so that it reads

command="rdiff-backup --server",from="",no-port-forwarding,no-X11-forwarding,no-pty

In from="" you should use the hostname that a reverse lookup of's IP address returns.

You can as well use's IP address:

#command="rdiff-backup --server --restrict-read-only /",from="",no-port-forwarding,no-X11-forwarding,no-pty

Next run

#chmod -R go-rwx /root/.ssh

Then have a look at /etc/ssh/sshd_config. It should contain the lines

RSAAuthentication yes
PubkeyAuthentication yes

Restart ssh if you had to change /etc/ssh/sshd_config:

#/etc/init.d/ssh restart

Test rdiff-backup On Target Machine

Back on, again as the user rdiff-backup, we test the backup:

#cd /backup
#rdiff-backup server1_backup::/boot boot

In the second command you see the string server1_backup. That is the string we used in /backup/.ssh/config after host. With this second command, the user rdiff will connect to as the root user and save the directory /boot of to the directory /backup/boot on If you see that it is working and you do not have to type in a password.

Now all there is left to do is to create a cron job. Still as user rdiff-backup, run

#crontab -e

and create a cron job like this:

40 2 * * * /usr/bin/rdiff-backup --exclude /tmp --exclude /mnt --exclude /proc --exclude /dev --exclude /cdrom --exclude /floppy server1_backup::/ /backup/server1

This runs the backup every night at 2.40h, saving the directory / with all subdirectories (excluding /tmp, /mnt, /proc, /dev, /cdrom, /floppy) of in /backup/server1 on