{"_id":"54ff12b95c4ab10d00ef42e5","version":{"_id":"54fda38e21538c21006c49a6","__v":3,"forked_from":"54eb4535615ffc19003059f0","project":"545e249c7ca5470800b3a1b2","createdAt":"2015-03-09T13:43:42.927Z","releaseDate":"2015-03-09T13:43:42.927Z","categories":["54fda38f21538c21006c49a7","54fda38f21538c21006c49a8","54fda38f21538c21006c49a9","54fda38f21538c21006c49aa","54fda38f21538c21006c49ab","54fda3d347f93619001d2ae2","54fea8975c4ab10d00ef4279"],"is_deprecated":false,"is_hidden":false,"is_beta":true,"is_stable":true,"codename":"","version_clean":"0.5.0","version":"0.5.0"},"project":"545e249c7ca5470800b3a1b2","__v":31,"githubsync":"","user":"54bf8cd9dcfc4d0d00a1a19e","category":{"_id":"54fea8975c4ab10d00ef4279","version":"54fda38e21538c21006c49a6","__v":2,"pages":["54fea91a26230917004adcad","54ff12b95c4ab10d00ef42e5"],"project":"545e249c7ca5470800b3a1b2","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-03-10T08:17:27.521Z","from_sync":false,"order":4,"slug":"encryption","title":"Encryption"},"metadata":{"title":"","description":"","image":[]},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2015-03-10T15:50:17.330Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":2,"body":"If you haven't done so, you should have a look at our [Introduction to encryption in ElectricSheep.IO](doc:introduction).\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"How it works\"\n}\n[/block]\nElectricSheep.IO relies on [GPG](https://www.gnupg.org/) to encrypt your backup files using  public key cryptography. You provide your _public key_ to the program so that it may encrypt the backup files it creates.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Setup\"\n}\n[/block]\n### Prerequisites\n\nGPG should be installed on the target systems: the system running ES.IO and, if you plan on using remote encryption, on the remote hosts (more on that later).\n\n### Export your public key\n\nES.IO encrypts backup files using your public key. You should therefore export it and place it on the system running the program.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"gpg  --armor --output </path/to>/your.public.gpg.asc --export youremail:::at:::your-company.com\",\n      \"language\": \"shell\",\n      \"name\": \"GPG Public key\"\n    }\n  ]\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Encryption\"\n}\n[/block]\nIn your _Sheepfile_ indicate where ES.IO can find your public key using the `encrypt` verb:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"# Replace </path/to> with the actual path\\nencrypt with: '</path/to/>your.public.gpg.asc'\",\n      \"language\": \"ruby\",\n      \"name\": \"Sheepfile\"\n    }\n  ]\n}\n[/block]\nFrom now on, ES.IO is able to encrypt files locally - on the system running it - or remotely - on the remote hosts available to ES.IO through an SSH connection.\n\nEncrypting files on the remote hosts is the most secure option but, as encryption is a CPU intensive task, it may represent a significant load on your servers. Encrypting files on the system running ES.IO saves the additional load on the remote hosts. If you copy or move your archives to the host running ES.IO using a secure protocol such as SCP, this is probably the most efficient way of encrypting them.\n\n### Local encryption\n\nSay you'd like ES.IO to connect a remote host using SSH, create a dump of a MySQL database, compress it, move it to the localhost and encrypt it:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"encrypt with: '</path/to>/your.public.gpg.asc'\\n\\nhost \\\"db-host\\\", hostname: \\\"db.example.com\\\"\\n\\njob \\\"db-backup\\\" do\\n  resource \\\"database\\\", name: \\\"my-database\\\", host: \\\"db-host\\\"\\n  remotely as: \\\"user\\\" do\\n    mysql_dump user: \\\"mysql-user\\\", password: \\\"secret\\\"\\n    tar_gz delete_source: true\\n  end\\n  \\n  move to: \\\"localhost\\\", using: \\\"scp\\\", as: \\\"user\\\"\\n  \\n  locally do\\n    encrypt delete_source: true\\n  end\\nend\",\n      \"language\": \"ruby\",\n      \"name\": \"Sheepfile\"\n    }\n  ]\n}\n[/block]\n\n### Remote encryption\n\nThe previous backup job could be run with the encryption occuring on the remote host:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"encrypt with: '</path/to>//your.public.key.gpg.asc'\\n\\nhost \\\"db-host\\\", hostname: \\\"db.example.com\\\"\\n\\njob \\\"db-backup\\\" do\\n  resource \\\"database\\\", name: \\\"my-database\\\", host: \\\"db-host\\\"\\n  remotely as: \\\"user\\\" do\\n    mysql_dump user: \\\"mysql-user\\\", password: \\\"secret\\\"\\n    tar_gz delete_source: true\\n    encrypt delete_source: true\\n  end\\n  \\n  move to: \\\"localhost\\\", using: \\\"scp\\\", as: \\\"user\\\"\\nend\",\n      \"language\": \"ruby\",\n      \"name\": \"Sheepfile\"\n    }\n  ]\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Decrypt backup files\"\n}\n[/block]\n### Using ElectricSheep.IO (`electric_sheep`)\n\nES.IO provides a CLI command to decrypt encrypted backup files. The path to the encrypted input, the desired output and the private key corresponding to the public key ES.IO used to created the backup file should be specified. For example:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"electric_sheep decrypt -k /path/to/private-key.gpg /var/backups/mydb-20150624-040007.gpg mydb.tar.gz\",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"warning\",\n  \"title\": \"GPG Passphrase\",\n  \"body\": \"GPG private keys with a passphrase are not supported yet. Please preferably use the GPG client as shown below if your private key is protected with a passphrase (it should).\"\n}\n[/block]\n\n### Using GPG\n\nES.IO uses standard GPG to encrypt files, thus you may use a standard GPG client to decrypt files (provided that your private key has been imported into your keyring):\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"gpg --output mydb.tar.gz -d /var/backups/mydb-20150624-040007.gpg\",\n      \"language\": \"shell\"\n    }\n  ]\n}\n[/block]","excerpt":"Encrypt your archives & backup files with ElectricSheep.IO","slug":"encrypt-your-backup-files","type":"basic","title":"Encrypt your backup files"}

Encrypt your backup files

Encrypt your archives & backup files with ElectricSheep.IO

If you haven't done so, you should have a look at our [Introduction to encryption in ElectricSheep.IO](doc:introduction). [block:api-header] { "type": "basic", "title": "How it works" } [/block] ElectricSheep.IO relies on [GPG](https://www.gnupg.org/) to encrypt your backup files using public key cryptography. You provide your _public key_ to the program so that it may encrypt the backup files it creates. [block:api-header] { "type": "basic", "title": "Setup" } [/block] ### Prerequisites GPG should be installed on the target systems: the system running ES.IO and, if you plan on using remote encryption, on the remote hosts (more on that later). ### Export your public key ES.IO encrypts backup files using your public key. You should therefore export it and place it on the system running the program. [block:code] { "codes": [ { "code": "gpg --armor --output </path/to>/your.public.gpg.asc --export youremail@your-company.com", "language": "shell", "name": "GPG Public key" } ] } [/block] [block:api-header] { "type": "basic", "title": "Encryption" } [/block] In your _Sheepfile_ indicate where ES.IO can find your public key using the `encrypt` verb: [block:code] { "codes": [ { "code": "# Replace </path/to> with the actual path\nencrypt with: '</path/to/>your.public.gpg.asc'", "language": "ruby", "name": "Sheepfile" } ] } [/block] From now on, ES.IO is able to encrypt files locally - on the system running it - or remotely - on the remote hosts available to ES.IO through an SSH connection. Encrypting files on the remote hosts is the most secure option but, as encryption is a CPU intensive task, it may represent a significant load on your servers. Encrypting files on the system running ES.IO saves the additional load on the remote hosts. If you copy or move your archives to the host running ES.IO using a secure protocol such as SCP, this is probably the most efficient way of encrypting them. ### Local encryption Say you'd like ES.IO to connect a remote host using SSH, create a dump of a MySQL database, compress it, move it to the localhost and encrypt it: [block:code] { "codes": [ { "code": "encrypt with: '</path/to>/your.public.gpg.asc'\n\nhost \"db-host\", hostname: \"db.example.com\"\n\njob \"db-backup\" do\n resource \"database\", name: \"my-database\", host: \"db-host\"\n remotely as: \"user\" do\n mysql_dump user: \"mysql-user\", password: \"secret\"\n tar_gz delete_source: true\n end\n \n move to: \"localhost\", using: \"scp\", as: \"user\"\n \n locally do\n encrypt delete_source: true\n end\nend", "language": "ruby", "name": "Sheepfile" } ] } [/block] ### Remote encryption The previous backup job could be run with the encryption occuring on the remote host: [block:code] { "codes": [ { "code": "encrypt with: '</path/to>//your.public.key.gpg.asc'\n\nhost \"db-host\", hostname: \"db.example.com\"\n\njob \"db-backup\" do\n resource \"database\", name: \"my-database\", host: \"db-host\"\n remotely as: \"user\" do\n mysql_dump user: \"mysql-user\", password: \"secret\"\n tar_gz delete_source: true\n encrypt delete_source: true\n end\n \n move to: \"localhost\", using: \"scp\", as: \"user\"\nend", "language": "ruby", "name": "Sheepfile" } ] } [/block] [block:api-header] { "type": "basic", "title": "Decrypt backup files" } [/block] ### Using ElectricSheep.IO (`electric_sheep`) ES.IO provides a CLI command to decrypt encrypted backup files. The path to the encrypted input, the desired output and the private key corresponding to the public key ES.IO used to created the backup file should be specified. For example: [block:code] { "codes": [ { "code": "electric_sheep decrypt -k /path/to/private-key.gpg /var/backups/mydb-20150624-040007.gpg mydb.tar.gz", "language": "shell" } ] } [/block] [block:callout] { "type": "warning", "title": "GPG Passphrase", "body": "GPG private keys with a passphrase are not supported yet. Please preferably use the GPG client as shown below if your private key is protected with a passphrase (it should)." } [/block] ### Using GPG ES.IO uses standard GPG to encrypt files, thus you may use a standard GPG client to decrypt files (provided that your private key has been imported into your keyring): [block:code] { "codes": [ { "code": "gpg --output mydb.tar.gz -d /var/backups/mydb-20150624-040007.gpg", "language": "shell" } ] } [/block]