How to Verify the Integrity of Backups in Debian on Debian 12 Bookworm System

Ensuring the reliability and integrity of your backups is a critical part of system administration, especially for Debian-based systems. Backups that can’t be verified might as well not exist — after all, they’re only as good as your ability to restore from them accurately.

With the release of Debian 12 “Bookworm”, many users are looking for up-to-date and robust ways to verify the integrity of backups on this new system. This article will walk you through practical and reliable methods for verifying backups using command-line tools and practices native to or compatible with Debian 12.

Why Verify Backup Integrity?

Before diving into how to verify backups, let’s understand why it matters:

• Corruption detection: Files can become corrupted during the backup process or while stored due to media degradation, system errors, or software issues.
• Incomplete backups: Verifying ensures that all intended files were actually backed up.
• Recovery confidence: In a disaster recovery scenario, the last thing you want is to find out that your backup is unusable.
• Compliance: For many industries, regular integrity verification is required by law or best practices.

Common Backup Types in Debian

Before verifying a backup, you need to know what kind of backup you’re dealing with. The verification method can differ depending on the format:

• Tarball Backups (.tar.gz, .tar.xz, etc.)
• Rsync-based Backups
• BorgBackup (borg) Archives
• Restic Backups
• Duplicity Archives
• Timeshift Snapshots (for desktop users)
• Custom scripts using cp, dd, rsync, or cron jobs

Let’s go through the methods to verify these backups one by one on a Debian 12 system.

1. Verifying Tarball (tar) Backups

Tarball backups are among the most widely used for file-level backups.

A. Verify Tar File Structure

Run the following to test the archive without extracting:

tar -tvf backup.tar.gz > /dev/null

If you see no errors, the archive structure is likely fine.

B. Verify File Integrity via Checksums

If you created MD5 or SHA256 checksums of the original files before backup, you can compare them after restoration.

Example of creating and verifying SHA256 checksums:

sha256sum -c checksums.sha256

To create the file:

find /source/dir -type f -exec sha256sum {} \; > checksums.sha256

Then after extracting your tarball:

sha256sum -c checksums.sha256

C. Use the --compare Option

Tar has a built-in compare feature if you’re restoring to a temporary directory:

tar --compare --file=backup.tar.gz --directory=/restored/dir

2. Verifying Rsync-based Backups

Rsync is commonly used to perform incremental backups, especially with scripts or cron jobs.

A. Dry Run with Checksums

Use the --dry-run and --checksum options to compare source and backup:

rsync -avnc --delete /original/data/ /backup/data/

• -n: Dry run (no changes made)
• -c: Compare file contents using checksum
• --delete: Identify files that are missing or extra

If the output is empty, the backup is consistent.

B. Manual Checksum Comparison

Again, SHA256 or MD5 hashes of both the source and backup can be compared:

diff <(sha256sum /source/*) <(sha256sum /backup/*)

This approach works well for smaller file sets.

3. Verifying BorgBackup Archives

BorgBackup is a modern deduplicating backup tool popular with Linux admins.

A. Repository Consistency Check

borg check /path/to/repo

This checks for consistency in the backup repository.

B. Archive Verification

To check specific archives:

borg check --verify-data /path/to/repo::archive-name

This performs a deeper scan, verifying file content hashes.

C. Extract and Compare (optional)

You can extract and manually verify:

borg extract /path/to/repo::archive-name --dry-run

4. Verifying Restic Backups

Restic is another popular modern backup utility.

A. Check Repository

restic -r /path/to/repo check

This checks the integrity of the repository and snapshots.

B. Verify Snapshot Contents

Use this to compare file metadata and detect corruption:

restic -r /path/to/repo snapshots
restic -r /path/to/repo mount /mnt/backup

Then use standard Linux tools to diff or hash files:

diff -r /mnt/backup/latest /original

Unmount when finished:

umount /mnt/backup

5. Verifying Duplicity Backups

Duplicity handles encrypted, incremental backups.

A. List and Verify Backup Chains

duplicity collection-status file:///path/to/backup
duplicity verify file:///path/to/backup /original/data

You may need to supply a passphrase if your backups are encrypted.

6. Using Checksums with Any Backup System

A universal method to verify backups is to use checksums — SHA256 is a solid choice on Debian 12.

A. Generate Checksums on Source

cd /original/data
find . -type f -exec sha256sum {} \; > source.sha256

B. Copy or Restore Backup and Compare

cd /restored/data
sha256sum -c source.sha256

This allows for robust integrity validation, regardless of how the files were backed up.

7. Automating Verification with Cron

Debian 12 still uses cron for job scheduling. You can automate backup verification by writing shell scripts and scheduling them.

Example Script (verify-backup.sh)

#!/bin/bash
BACKUP_DIR="/mnt/backup"
SOURCE_DIR="/home/user"
CHECKSUM_FILE="/home/user/checksums.sha256"

cd "$SOURCE_DIR"
find . -type f -exec sha256sum {} \; > "$CHECKSUM_FILE"

cd "$BACKUP_DIR"
sha256sum -c "$CHECKSUM_FILE" > /var/log/backup-verify.log 2>&1

Add to Cron

crontab -e

Add a line like this to run daily at 3 AM:

0 3 * * * /path/to/verify-backup.sh

8. Log and Email Verification Reports

You can configure the cron job to email you logs using tools like mailx or ssmtp.

Example:

cat /var/log/backup-verify.log | mail -s "Backup Verification Report" admin@example.com

Best Practices

Here are some general recommendations for backup verification on Debian 12:

• Always test restore procedures periodically, not just integrity.
• Use offline storage to reduce bit rot or unauthorized changes.
• Store checksums outside the backup volume, ideally with the source.
• Automate and log everything — verification that isn’t logged may as well not happen.
• Leverage Btrfs or ZFS checksums if you use advanced filesystems, which offer built-in data integrity.

Final Thoughts

Backup integrity verification is an essential — but often neglected — part of a good backup strategy. On a system like Debian 12 Bookworm, you have powerful, modern tools at your disposal: from the tried-and-true tar and rsync, to advanced systems like borg, restic, and duplicity.

By integrating regular checks, comparisons, and test restores into your backup routine, you ensure that your data is not only being copied — it’s being protected.

Remember: a backup is only as good as your last successful restore.