Today I did setup backupninja together with dt-s3-backup to backup my server gpg-encrypted to Amazon’s S3 storage. It’s a quite cost-effective way to back up things and can easily be automated. I used the good tutorial at Marcin Gryszko’s blog for setup. It’s quite good, so I only will add here some tips to get around problems and to improve safety a bit.
One thing is, and this helps also with the Deja-Backup tool for Ubuntu/Debian, often a python lib is missing to let duplicity (the backup program used here and also in the back of Deja-backup) work with S3. So if there is whining from duplicity that it can’t access S3, you need to install the package “python-boto”.
Also you want to make an own user for the backup process at S3. After a bit research I found on Random Musings Blog the help with the IAM policy stuff I wanted (as it’s not really simple in my eyes). When you add your backup user, add a policy like this (with your bucket name in it):
{
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket_name_here"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket_name_here/*"
}
]
}
That way we limit our user to only access our backup bucket, and so can separate our backup buckets from each-other, so if one gets compromised it not affect other buckets/our main user. This also works good with Deja-backup.
With this it should be quite easy to set up an automated backup to Amazon S3. My thank goes out to the two blog’s as they were a great help and finally let me get things started! I hope this collection of hints help you, too. As a word for those probably saying “S3 ? Cloud? Isn’t it insecure?”. Well, we counter the problem of possible spying on our data by using gpg encryption with a password, and if you use a 30-50 random char&number password it should be so strong that even a computer cluster should get trouble breaking it in reasonable time.
