Linux

rsync over SSH: backup your data securely

Using rsync over ssh is a secure method to backup your system. SSH encrypts your data over the internet and secures the transmission from hackers and other threats. The good news is that rsync uses the SSH protocol by default. In this tutorial I will show you how to use rsync over SSH and how to conifgure SSH keys for passwordless backups.

rsync over SSH requirements

  • SSH access to server
  • rsync client installed locally

Installing rsync

In most cases rsync will already be installed on your system. If it’s not, it can be easily installed.

Debian/Ubuntu

sudo apt-get install rsync

CentOS

sudo yum install rsync

Testing the connection

Test the connection to your server by connecting with SSH:

ssh user@remotehost.com

If all goes well you should be greeted by a password prompt:

Testing rsync

If you can connect with SSH you can connect with rsync over ssh. Test rsync by initiating a dry run backup of your home directory:

rsync -nav user@remotehost:~/ /path/to/local/backup/folder/

With any luck you will see your files and folders fly by the screen. Note that we did not have to use the -e switch. Since rsync uses SSH by default this is not necessary unless you need to specifiy additional connection parameters (non-standard port or SSH key locations.)

Setting up SSH keys

We can setup SSH keys so rsync doesn’t need a password to connect. This is useful for automating your backups with chron while staying completely secure. SSH keys are generated on your local computer and then copied to the remote host. Generate a key pair with the following command:

ssh-keygen -t rsa

Save the keys in the default location or specify another directory:

Enter file in which to save the key (/home/demo/.ssh/id_rsa):


Leave the passphrase blank by hitting enter through the following prompt:

Enter passphrase (empty for no passphrase):

Here is what you should see:

Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 user@a
The key's randomart image is:
+--[ RSA 2048]----+
|          .oo.   |
|         .  o.E  |
|        + .  o   |
|     . = = .     |
|      = S = .    |
|     o + = +     |
|      . o + o .  |
|           . o   |
|                 |
+-----------------+

While it would be more secure to enter a passphrase, rsync can’t be automated in this way. However, this method is still secure because a hacker would need to obtain your private key to gain access to the server.

Next we copy the public key to the server. Security tip: Never grant your keys to the root account. Always copy your keys to a standard user account. This way if a hacker jacks your private key he would only have limited access to your box.

ssh-copy-id user@remotehost.com

If prompted, type yes to connect and then enter your password to complete the transfer:

The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established.
RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts.
user@12.34.56.78's password: 
Now try logging into the machine, with "ssh 'user@12.34.56.78'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Boom goes the dynamite. You should now be able to run rsync over ssh without a password.

Resources

http://linux.die.net/man/1/rsync

 

Leave a Reply

Your email address will not be published. Required fields are marked *