This script provides automated, encrypted incremental backups for specified directories. It is designed to be simple, secure, and efficient, and supports remote backup.
tar --version
openssl version
apt update
apt install rsync
This step allows the script to connect via SSH without prompting for a password. It is important for automated backups:
ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_server_ipv4_address
sudo crontab -e
0 18 * * * /path/to/backup.sh /path/to/config.sh
- The script creates a full archive of all files and folders defined by the user in a configuration file,
- Only files that have changed since the last backup are archived,
- File changes are tracked using a snapshot file (
SNAPSHOT_FILE), which stores metadata about file states over time,
- The script uses the
tarutility to create backup archives, - Each archive is encrypted using OpenSSL with the
AES-256-CBCalgorithm, - The encryption password is defined within the script,
rsync is provided with:
- the path to the local archive file,
- remote server login credentials (username and IPv4 address),
- the destination path on the remote server.
- Verifies that all source directories (to be backed up) exist.
- If any are missing, the script exits immediately to avoid inconsistent backups.
- Ensures that the local destination directory for backups exists.
- Automatically creates the directory if it's missing.
- Checks if the snapshot file exists.
- If not, it creates one. This file is essential for detecting incremental changes.
- Creates an incremental archive using
tarand a snapshot file, - The archive includes only files changed since the last backup,
- The archive is encrypted using AES-256-CBC via
openssl, - The resulting
.tar.encfile is saved to theBACKUP_DIR,
- Transfers all files from
BACKUP_DIRto the remote server usingrsyncover SSH, - Uses the SSH private key specified by
SSH_KEY, - All output is logged to the file defined in
LOG_FILE,
- Searches the local backup directory (BACKUP_DIR) for .tar.enc files older than 5 days,
- If old backup files are found, their paths are printed to the log and then deleted using find,
- Otherwise if no old files are found, an informational message is logged instead,
- Verifies that there is enough free disk space available in the backup destination directory (BACKUP_DIR) before creating a new backup,
- If the available space is below a defined 2GB, the script exits and displays an error,
- Monitors the size of the log files (
backup.loganddecrypt.log), - If a log file exceeds 10 MB. It is automatically rotated,
- Helps prevent logs from growing indefinitely and consuming excessive disk space,
- Verifies that the LOG_FILE path is defined,
- If the variable is empty or missing, the script exits with an error,
- Prevents running without a valid logging destination,
- Sends a status notification to a Discord channel using a webhook,
- If success, sends an informational message confirming the backup was completed and uploaded,
- If error, sends an error message instructing the user to check the logs,
- Prevents multiple instances of the backup script from running at the same time,
- If the file already exists, the script assumes another backup process is active and exits,
A separate script decrypt.sh is provided to decrypt and extract backups. Additionally all decryption logs are stored in decrypt.log for later review
./decrypt.sh config.sh /path/to/backup_file.tar.enc /destination/directory