man
1 backintime
backintime(1) USER COMMANDS backintime(1)
NAME
backintime - a simple backup tool for Linux.
This is the command line tool. The graphical tool is backintime-qt.
SYNOPSIS
backintime [--checksum] [--config PATH] [--debug] [--delete] [--help |
-h] [--keep-mount] [--license] [--local-backup | --no-local-backup]
[--no-crontab] [--only-new] [--profile NAME | --profile-id ID]
[--quiet] [--share-path PATH] [--version]
{ backup | backup-job | benchmark-cipher [FILE-SIZE] | check-config |
decode [PATH] | last-snapshot | last-snapshot-path | pw-cache
[start|stop|restart|reload|status] | remove[-and-do-not-ask-again]
[SNAPSHOT_ID] | restore [WHAT [WHERE [SNAPSHOT_ID]]] | shutdown |
smart-remove | snapshots-list | snapshots-list-path | snapshots-path |
unmount }
DESCRIPTION
Back In Time is a simple backup tool for Linux. The backup is done by
taking snapshots of a specified set of folders.
All you have to do is configure: where to save snapshots, what folders
to backup. You can also specify a backup schedule: disabled, every 5
minutes, every 10 minutes, every hour, every day, every week, every
month. To configure it use one of the graphical interfaces available
(backintime-gnome or backintime-kde4).
It acts as a 'user mode' backup tool. This means that you can
backup/restore only folders you have write access to (actually you can
backup read-only folders, but you can't restore them).
If you want to run it as root you need to use 'sudo -i backintime'.
A new snapshot is created only if something changed since the last
snapshot (if any).
A snapshot contains all the files from the selected folders (except for
exclude patterns). In order to reduce disk space it use hard-links (if
possible) between snapshots for unchanged files. This way a file of
10MiB, unchanged for 10 snapshots, will use only 10MiB on the disk.
When you restore a file 'A', if it already exists on the file system it
will be renamed to 'A.backup.currentdate'.
For automatic backup it use 'cron' so there is no need for a daemon,
but 'cron' must be running.
Modes
Local
Store snapshots on local HDD's (internal or USB). The drive has to
be mounted before creating a new snapshot.
Local encrypted
Store encrypted snapshots on local HDD's (internal or USB). Back
In Time uses 'encfs' with standard configuration to encrypt all
data. Please take a look at A NOTE ON SECURITY.
SSH
With Mode set to SSH you can store the backup on a remote host us-
ing the SecureShellHost protocol (ssh). The remote path will be
mount local using sshfs to provide file-access for the graphical
interface and the backup process. Rsync and other processes called
during backup process will run directly on the remote host using
ssh.
To prepare your user account for ssh-mode you have to create a
password-less login to the remote host (for further information
look at http://www.debian-administration.org/articles/152). Type
in terminal 'ssh-keygen -t rsa' hit enter for default path and en-
ter a passphrase for the private key.
Finally type 'ssh-copy-id -i ~/.ssh/id_rsa.pub <RE-
MOTE_USER>@<HOST>' and enter your password on remote host.
In Settingsdialog you need to set the host and remote user. If you
enter a relative path (no leading / ) it will start from remote
users homedir. The password has to be the passphrase for your pri-
vate key.
Cipher (the algorithm used to encrypt the data during transfer)
To optimize performance you can choose the cipher used by ssh. De-
pending on your environment you can have a massive speed increase
compared to the default cipher.
benchmark-cipher will give you an overview over which cipher is the
fastest in your environment.
If the bottleneck of your environment is the hard-drive or the net-
work you will not see a big difference between the ciphers. In this
case you should rather stay on 'default'.
Please read security information about the cipher before using them
in untrusted networks (Wifi, Internet). Some of them (Arcfour,
3DES, ...) should be handled as not secure anymore.
Remote Host
If your remote host is an embedded Linux NAS or any other device
with limited functions, you could run into some problems caused by
feature-less commands. For example some devices may not have
hardlink support for 'cp', 'chmod' and 'rsync'. In this case it may
help to install so-called Optware or Entware on your device if
available.
WARNING: THIS IS ONLY FOR EXPERIENCED USERS!
If you don't know how to compile packages and how to modify a Linux
system you should NOT try to do this. There is a significant chance
to break your device and make it completely unusable with the fol-
lowing procedure. We will not take any warranty for this. Make a
backup of your device before proceed! You have been warned!
You should install at least packages called 'bash', 'coreutils' and
'rsync'. You will have to change users default shell from
'/bin/sh' to '/opt/bin/bash' in '/etc/passwd'. To add
'/opt/bin:/opt/sbin:' to the start of the PATH environment you can
use 'Add prefix to SSH commands' in 'Expert Options' with
'PATH=/opt/bin:/opt/sbin:\$PATH'.
To check if it does work you can compare the output of '/bin/cp
--help' and '/opt/bin/cp --help'. If 'ssh <user>@<host> cp --help'
called from your PC will print the same as '/opt/bin/cp --help'
called on the remote host (via interactive ssh session) you are
ready to go.
If you have questions on how to install and configure the Optware
please refer to the community of your device. You can also take a
look on Back In Time FAQ on GitHub https://github.com/bit-
team/backintime/wiki/FAQ
If you successfully modified your device to be able to make backups
over ssh, it would be nice if you write a 'How to' on Launchpad's
Answers so we can add this to the FAQ.
SSH encrypted
Store encrypted snapshots on remote hosts using SSH. Backintime
uses 'encfs --reverse' to mount the root filesystem '/'. Rsync will
sync this encrypted view of '/' to a remote host over SSH. All en-
coding will be done on the local machine. So the password will
never be exposed to the remote host and you can use the (normally)
more powerful processor in you local machine for encryption instead
of weak NAS CPU's. The downside on this is 'encfs --reverse' does
not support 'Filename Initialization Vector Chaining' and 'Per-File
Initialization Vectors' from the standard configuration (take a
look at 'man encfs' for further information). Please take a look at
A NOTE ON SECURITY.
Because of all data is transferred encrypted the log output shows
encrypted filenames, too. In the Logview-Dialog you can use 'de-
code' option to decrypt the paths automatically or you can use
'backintime decode' to manually decrypt paths. Back In Time will
show all snapshots decoded so you can browse all files as normal.
Exclude does not support wildcards ('foo*', '[fF]oo', 'fo?') be-
cause after encoding a file these wildcards can't match any more.
Only separate asterisk that match a full file or folder will work
('foo/*', 'foo/**/bar'). All other excludes that have wildcards
will be silently ignored.
Please refer to the 'SSH' section above for information on setting
up the SSH connection.
Password
If 'Save Password to Keyring' is activated Back In Time will save the
Password into GnomeKeyring (Seahorse) or KDE-KWallet. Both are secure
password storages which encrypt the password with the users login-pass-
word. So they can only be accessed if the user is logged in.
A backup cronjob during the user isn't logged in can not collect the
password from keyring. Also if the homedir is encrypted the keyring is
not accessible from cronjobs (even if the user is logged in). For these
cases the password can be cached in RAM. If 'Cache Password for Cron'
is activated Back In Time will start a small daemon in user-space which
will collect the password from keyring and provide them for cronjobs.
They will never be written to the harddrive but a user with root per-
missions could access the daemon and read the password.
user-callback
During backup process the application can call a user callback at dif-
ferent steps. This callback is "$XDG_CONFIG_HOME/backintime/user-call-
back" (by default $XDG_CONFIG_HOME is ~/.config).
The first argument is the profile id (1=Main Profile, ...).
The second argument is the profile name.
The third argument is the reason:
1 Backup process begins.
2 Backup process ends.
3 A new snapshot was taken. The extra arguments are snap-
shot ID and snapshot path.
4 There was an error. The second argument is the error
code.
Error codes:
1 The application is not configured.
2 A "take snapshot" process is already running.
3 Can't find snapshots folder (is it on a removable
drive ?).
4 A snapshot for "now" already exist.
5 On (graphical) App start.
6 On (graphical) App close.
7 Mount all necessary drives.
8 Unmount all drives.
OPTIONS
--checksum
Force to use checksum for checking if files have been changed.
This is the same as 'Use checksum to detect changes' in Options.
But you can use this to periodically run checksums from cron-
jobs. Only valid with backup, backup-job and restore.
--config PATH
Read config from PATH. Default = ~/.config/backintime/config
--debug
Show debug messages.
--delete
Restore and delete newer files which are not in the snapshot.
WARNING: deleting files in filesystem root could break your
whole system!!! Only valid with restore.
-h, --help
Display a short help
--keep-mount
Don't unmount on exit. Only valid with snapshots-path, snap-
shots-list-path and last-snapshot-path.
--license
Show license
--local-backup
Create backup files before changing local files. Only valid
with restore.
--no-crontab
Do not install crontab entries. Only valid with check-config.
--no-local-backup
Temporary disable creation of backup files before changing local
files. Only valid with restore.
--only-new
Only restore files which does not exist or are newer than those
in destination. Using "rsync --update" option. Only valid with
restore.
--profile NAME
Select profile by name
--profile-id ID
Select profile by id
--quiet
Suppress status messages on standard output.
--share-path PATH
Write runtime data (locks, messages, log and mountpoints) to
PATH.
-v, --version
Show version
COMMANDS
backup | -b | --backup
Take a snapshot now.
backup-job | --backup-job
Take a snapshot (if needed) depending on schedule rules (used
for cron jobs). Back In Time will run in background for this.
benchmark-cipher | --benchmark-cipher [FILE-SIZE]
Show a benchmark of all ciphers for ssh transfer.
check-config
Verify the profile in config, create snapshot path and crontab
entries.
decode | --decode [PATH]
Decode encrypted PATH. If no PATH is given Back In Time will
read paths from standard input.
last-snapshot | --last-snapshot
Display last snapshot ID (if any)
last-snapshot-path | --last-snapshot-path
Display the path to the last snapshot (if any)
pw-cache | --pw-cache [start|stop|restart|reload|status]
Control the Password Cache Daemon. If no argument is given the
Password Cache will start in foreground.
remove[-and-do-not-ask-again] | --remove[-and-do-not-ask-again] [SNAP-
SHOT_ID]
Remove the snapshot. If SNAPSHOT_ID is missing it will be
prompted. SNAPSHOT_ID can be an index (starting with 0 for the
last snapshot) or the exact SnapshotID (19 caracters like
'20130606-230501-984'). remove-and-do-not-ask-again will remove
the snapshot immediately. Be careful with this!
restore | --restore [WHAT [WHERE [SNAPSHOT_ID]]]
Restore file WHAT to path WHERE from snapshot SNAPSHOT_ID. If
arguments are missing they will be prompted. To restore to the
original path WHERE can be an empty string '' or just press En-
ter at the prompt. SNAPSHOT_ID can be an index (starting with 0
for the last snapshot) or the exact SnapshotID (19 caracters
like '20130606-230501-984')
shutdown
Shutdown the computer after the snapshot is done.
smart-remove
Remove snapshots based on the configured Smart-Remove pattern.
snapshots-list | --snapshots-list
Display the list of snapshot IDs (if any)
snapshots-list-path | --snapshots-list-path
Display the paths to snapshots (if any)
snapshots-path | --snapshots-path
Display path where is saves the snapshots (if configured)
unmount | --unmount
Unmount the profile.
A NOTE ON SECURITY
There was a paid security audit for EncFS in Feb 2014 which revealed
several potential vulnerabilities.
From https://defuse.ca/audits/encfs.htm
EncFS is probably safe as long as the adversary only gets one
copy of the ciphertext and nothing more. EncFS is not safe if
the adversary has the opportunity to see two or more snapshots
of the ciphertext at different times. EncFS attempts to protect
files from malicious modification, but there are serious prob-
lems with this feature.
This might be a problem with Back In Time snapshots.
SEE ALSO
backintime-qt, backintime-config.
Back In Time also has a website: https://github.com/bit-team/backintime
AUTHOR
This manual page was written by BIT Team(<bit-team@lists.launch-
pad.net>).
version 1.3.2 Aug 2016 backintime(1)