Encrypt your backup files
Encrypt your archives & backup files with ElectricSheep.IO
If you haven't done so, you should have a look at our Introduction to encryption in ElectricSheep.IO.
How it works
ElectricSheep.IO relies on GPG to encrypt your backup files using public key cryptography. You provide your public key to the program so that it may encrypt the backup files it creates.
Setup
Prerequisites
GPG should be installed on the target systems: the system running ES.IO and, if you plan on using remote encryption, on the remote hosts (more on that later).
Export your public key
ES.IO encrypts backup files using your public key. You should therefore export it and place it on the system running the program.
gpg --armor --output </path/to>/your.public.gpg.asc --export [email protected]
Encryption
In your Sheepfile indicate where ES.IO can find your public key using the encrypt
verb:
# Replace </path/to> with the actual path
encrypt with: '</path/to/>your.public.gpg.asc'
From now on, ES.IO is able to encrypt files locally - on the system running it - or remotely - on the remote hosts available to ES.IO through an SSH connection.
Encrypting files on the remote hosts is the most secure option but, as encryption is a CPU intensive task, it may represent a significant load on your servers. Encrypting files on the system running ES.IO saves the additional load on the remote hosts. If you copy or move your archives to the host running ES.IO using a secure protocol such as SCP, this is probably the most efficient way of encrypting them.
Local encryption
Say you'd like ES.IO to connect a remote host using SSH, create a dump of a MySQL database, compress it, move it to the localhost and encrypt it:
encrypt with: '</path/to>/your.public.gpg.asc'
host "db-host", hostname: "db.example.com"
job "db-backup" do
resource "database", name: "my-database", host: "db-host"
remotely as: "user" do
mysql_dump user: "mysql-user", password: "secret"
tar_gz delete_source: true
end
move to: "localhost", using: "scp", as: "user"
locally do
encrypt delete_source: true
end
end
Remote encryption
The previous backup job could be run with the encryption occuring on the remote host:
encrypt with: '</path/to>//your.public.key.gpg.asc'
host "db-host", hostname: "db.example.com"
job "db-backup" do
resource "database", name: "my-database", host: "db-host"
remotely as: "user" do
mysql_dump user: "mysql-user", password: "secret"
tar_gz delete_source: true
encrypt delete_source: true
end
move to: "localhost", using: "scp", as: "user"
end
Decrypt backup files
Using ElectricSheep.IO (electric_sheep
)
electric_sheep
)ES.IO provides a CLI command to decrypt encrypted backup files. The path to the encrypted input, the desired output and the private key corresponding to the public key ES.IO used to created the backup file should be specified. For example:
electric_sheep decrypt -k /path/to/private-key.gpg /var/backups/mydb-20150624-040007.gpg mydb.tar.gz
GPG Passphrase
GPG private keys with a passphrase are not supported yet. Please preferably use the GPG client as shown below if your private key is protected with a passphrase (it should).
Using GPG
ES.IO uses standard GPG to encrypt files, thus you may use a standard GPG client to decrypt files (provided that your private key has been imported into your keyring):
gpg --output mydb.tar.gz -d /var/backups/mydb-20150624-040007.gpg
Updated less than a minute ago