If you haven't done so, you should have a look at our Introduction to encryption in ElectricSheep.IO.
ElectricSheep.IO relies on GPG to encrypt your backup files using public key cryptography. You provide your public key to the program so that it may encrypt the backup files it creates.
GPG should be installed on the target systems: the system running ES.IO and, if you plan on using remote encryption, on the remote hosts (more on that later).
ES.IO encrypts backup files using your public key. You should therefore export it and place it on the system running the program.
gpg --armor --output </path/to>/your.public.gpg.asc --export [email protected]
In your Sheepfile indicate where ES.IO can find your public key using the
# Replace </path/to> with the actual path encrypt with: '</path/to/>your.public.gpg.asc'
From now on, ES.IO is able to encrypt files locally - on the system running it - or remotely - on the remote hosts available to ES.IO through an SSH connection.
Encrypting files on the remote hosts is the most secure option but, as encryption is a CPU intensive task, it may represent a significant load on your servers. Encrypting files on the system running ES.IO saves the additional load on the remote hosts. If you copy or move your archives to the host running ES.IO using a secure protocol such as SCP, this is probably the most efficient way of encrypting them.
Say you'd like ES.IO to connect a remote host using SSH, create a dump of a MySQL database, compress it, move it to the localhost and encrypt it:
encrypt with: '</path/to>/your.public.gpg.asc' host "db-host", hostname: "db.example.com" job "db-backup" do resource "database", name: "my-database", host: "db-host" remotely as: "user" do mysql_dump user: "mysql-user", password: "secret" tar_gz delete_source: true end move to: "localhost", using: "scp", as: "user" locally do encrypt delete_source: true end end
The previous backup job could be run with the encryption occuring on the remote host:
encrypt with: '</path/to>//your.public.key.gpg.asc' host "db-host", hostname: "db.example.com" job "db-backup" do resource "database", name: "my-database", host: "db-host" remotely as: "user" do mysql_dump user: "mysql-user", password: "secret" tar_gz delete_source: true encrypt delete_source: true end move to: "localhost", using: "scp", as: "user" end
ES.IO provides a CLI command to decrypt encrypted backup files. The path to the encrypted input, the desired output and the private key corresponding to the public key ES.IO used to created the backup file should be specified. For example:
electric_sheep decrypt -k /path/to/private-key.gpg /var/backups/mydb-20150624-040007.gpg mydb.tar.gz
GPG private keys with a passphrase are not supported yet. Please preferably use the GPG client as shown below if your private key is protected with a passphrase (it should).
ES.IO uses standard GPG to encrypt files, thus you may use a standard GPG client to decrypt files (provided that your private key has been imported into your keyring):
gpg --output mydb.tar.gz -d /var/backups/mydb-20150624-040007.gpg
Updated less than a minute ago