Advanced
Admin Mode
Baqpaq runs with the permissions of the user that started the application,
and has access to profiles created by that user. For example,
if your username is user1 and you start Baqpaq as a normal user,
the app will have access to all files that can be accessed by user1.
To take backups of files that you don’t have access for, start Baqpaq as
the root user using the Baqpaq (Admin Mode) launcher in applications menu.
In this mode, Baqpaq will have access to all files and folders on the system.
Admin profiles are kept separate from the profiles for each user.
You must have permissions to run applications with Admin priviledges on your system.
Caution
Do not use the same backup path for profiles created as normal user and profiles created as Admin. Each profile should save backups to a unique path.
Use sudo to run Baqpaq with root priviledges on the command-line.
For example, to create a snapshot for a root profile, you can run
sudo baqpaq create -p <profile-name>
The profile name specified in the command should be a profile that belongs to the root user i.e. created by Baqpaq while running as root user.
Tip
For each user, profiles are stored in $HOME/.config/baqpaq.
For root user, profiles are stored in /root/.config/baqpaq.
You can take a backup of these folders if you need to re-install your system.
A copy of the profile is also saved in the backup location and can be
imported on the new system. Refer Profiles > Import
for more information.
Note
Your Linux distribution must allow running GUI applications as root user. This is supported on all Linux distributions that use the X display server, and by most distributions that run Wayland.
Logging
Scheduled jobs create a log file in <Backup Path>/logs when they run.
You can view the logs by clicking the Logs button in toolbar.
Click an item on the left-hand panel to view the contents in the right-hand panel.
Items with a Red status icon indicate that the task has failed and it requires your attention.
Note
You can remove log files using the Clear button. Log files are removed automatically after 30 days when the profile is pruned. This limit can be changed from the ‘Prune’ tab in profile settings.
Note
Log files are excluded when the backup is uploaded to cloud storage. The log files are small in size and uploading a large number of small files can take a lot of time. Excluding the log files allows the upload action to complete quickly.
Credential Storage
Baqpaq stores the passphrase you provide, using one of 3 methods. This can be changed from Profile Settings > Advanced
Classic
Passphrase will be saved in the user’s home directory ($HOME/.config/baqpaq/keyinfo) in a simple text file.
- The passphrase is saved in a slightly-obscured format to deter casual snoopers.
- File permissions are set to 600 i.e. the file can be read and written only by the current user.
- Scheduled tasks (if enabled) can run even if user is not logged-in.
Tip
This mode is recommended if scheduled tasks are enabled, or if you are using Qt-based desktops like KDE or LXQt.
GNOME Keyring
Passphrase will be saved in GNOME keyring and is protected by the keyring password.
- GNOME keyring is a component of GNOME desktop that stores secrets, passwords, keys, certificates and makes them available to applications.
- If the keyring password is same as the login password, then it will be unlocked automatically when you login to your desktop. If the password is not the same, then you will be prompted to unlock the keyring when Baqpaq tries to fetch the password for the first time.
- You can change the current password for the keyring using the Seahorse application (Passwords and Keys) in application menu. It is recommended to keep the keyring password same as your login password so that it is unlocked automatically on login.
- Scheduled tasks (if enabled) will fail if user is not logged-in. Fetching the passphrase can also fail if user is logged-in but the keyring is in locked state.
Tip
This mode is recommended if scheduled tasks are not enabled
Note
Most Gtk-based desktops (MATE, Xfce, Cinnamon, etc) use GNOME services (and GNOME keyring) for managing passwords. Qt-based desktops like KDE Plasma and LXQt use KWallet which is not supported by Baqpaq.
Scripted
In this mode a script file needs to be specified for fetching the passphrase.
- The script file will be executed with bash to get the passphrase for the profile whenever it is needed.
- Scheduled tasks (if enabled) will execute the script file to get the passphrase.
- Only the first line of script output will be used as the passphrase. Remaining output (if any) is discarded.
Tip
This mode is suitable if credentials are stored on another machine, and if you need to run a script to fetch the password. Since the script is created by the user, it lets you implement your own security mechanism.
Command-line Usage
All options
Baqpaq v22.08 by Tony George ([email protected])
Usage: baqpaq <command> [options]
Commands:
i, init[-profile] Initialize profile
c, create[-snapshot] Create snapshot
ls, list[-snapshots] List snapshot for profile
lp, list-profiles List all profiles
check, validate Check consistency of repository and snapshots
ms, mount-snapshot Mount snapshot to temporary folder
mp, mount-profile Mount the backup repository for profile
us, unmount-snapshot Unmount snapshot
up, unmount-profile Unmount the backup repository for profile
ds, delete-snapshot Delete snapshot
dp, delete-profile Delete profile
e, extract[-snapshot] Extract snapshot
p, prune[-profile] Prune the backup repository for profile
sync[-profile] Sync profile to remote machine using RSync
upload[-profile] Upload profile to cloud storage using RClone
sch, schedule-cron Create/Update cron jobs based on profile settings
set-passphrase Set new passphrase for profile
break-lock Break exclusive lock for repository
remove-cache Remove local cache for profile (~/.cache/borg/<profile>)
remove-secinfo Remove security info for profile (~/.config/borg/security/<profile>)
h, help Show available commands and options
v, version Show program version
version-cli Show CLI version
General Options:
-p, --profile <name> Profile name
-s, --snap[shot] <name> Snapshot name
-s1, --snap1 <name> Snapshot name 1 (for 'diff' command)
-s2, --snap2 <name> Snapshot name 2 (for 'diff' command)
-c, --comment[s] <comments> Comments for new backup
-m, --mpath <path> Path for mounting snapshot or profile
-e, --epath <path> Path for extracting snapshot
-pp, --pass[phrase] <pass> Override profile passphrase (see Notes 2,3,4)
-npp, --new-pass[phrase] <pass> New passphrase for profile (see Notes 2,3,4)
-j, --json Print JSON-formatted output for easier parsing
-j, --scripted Scripted mode (no prompts)
--no-progress Don't print progress info (creates smaller log files if output is logged)
Prune Options:
-kh, --keep-hourly <count> Number of hourly snapshots to keep
-kd, --keep-daily <count> Number of daily snapshots to keep
-kw, --keep-weekly <count> Number of weekly snapshots to keep
-km, --keep-monthly <count> Number of monthly snapshots to keep
-ky, --keep-yearly <count> Number of yearly snapshots to keep
-kl, --keep-last <count> Number of latest snapshots to keep
NOTES:
1. Short-hand commands and options can be used to save keystrokes
For example, 'baqpaq c -p <name>' instead of 'baqpaq create --profile <name>'
2. Profile passphrase is stored on the system and does not need to be specified on the command line.
3. Option -pp, if specified, will override the profile passphrase for current invocation.
4. Profile passphrase can be changed using 'baqpaq set-passphrase -npp <newpass>' -p <name>'
5. Backup repository for profile can be mounted using 'baqpaq mount -p <name>'
6. Mount point is assigned automatically, but can also be specified using --mpath <path>
7. Mounted repository is read-only and cannot be modified while mounted.
8. Mounted repository must be unmounted explicitly with 'baqpaq unmount -p <name>'
Common actions
Create, prune, validate, sync, and upload profiles.
# create
baqpaq create -p "<profile>"
# prune
baqpaq prune -p "<profile>"
# validate
baqpaq check -p "<profile>"
# sync
baqpaq sync -p "<profile>"
# upload
baqpaq upload -p "<profile>"
# extract
baqpaq extract -p "<profile>" -s "<snapshot>" -e "<destination>"
# delete snapshots
baqpaq delete -p "<profile>" -s "<snap1,snap2,..>"
Specify Profile
For <profile> you can specify the profile name. For example, My Documents.
Profile ID can also be specified. For example, LY93bW22nkve2S09h3k5.
Specify Snapshots
For <snapshot> the snapshot name must be specified. For example, 2021-01-01_20-00-00.
# extract snapshot
baqpaq extract -p "My Documents" -s "2021-01-01_20-00-00" -e "/path/to/extract"
If you are using the Index naming scheme, then the snapshot index needs to be specified.
# delete snapshot with index 10
baqpaq delete -p "My Documents" -s 10
A range can also be specified for deleting snapshots.
# delete snapshots in range 10 to 30
baqpaq delete -p "My Documents" -s 10-30
Short-hand options
Short-hand commands and options can be used to save keystrokes. For example,
# longer syntax (more readable)
baqpaq create --profile "<profile>"
# shorter syntax (less typing)
baqpaq c -p "<profile>"
Changing passphrase
The passphrase is stored on the system and does not need to be specified on the command line.
Option -pp if specified, will override the passphrase for the current invocation.
baqpaq create -p "profile" -pp "<passphrase>"
Profile passphrase can be changed using option -npp:
baqpaq set-passphrase -npp "<new-passphrase>" -p "<profile>"
Mounting snapshots
The data repository for a profile can be mounted using:
baqpaq mount -p "<profile>"
Mount path is assigned automatically, but can also be specified using --mpath <path>
The mounted repository is read-only and cannot be modified while mounted. The repository must be unmounted explicitly after use. There is no need to specify the mount path while unmounting.
baqpaq unmount -p "<profile>"