GuidesDownloads
GuidesAnnouncementsDiscussions
GuidesDownloadsLog In

Encrypt your backup files

Encrypt your archives & backup files with ElectricSheep.IO

Suggest Edits

If you haven't done so, you should have a look at our Introduction to encryption in ElectricSheep.IO.

How it works

ElectricSheep.IO relies on GPG to encrypt your backup files using public key cryptography. You provide your public key to the program so that it may encrypt the backup files it creates.

Setup

Prerequisites

GPG should be installed on the target systems: the system running ES.IO and, if you plan on using remote encryption, on the remote hosts (more on that later).

Export your public key

ES.IO encrypts backup files using your public key. You should therefore export it and place it on the system running the program.

gpg  --armor --output </path/to>/your.public.gpg.asc --export [email protected]

Encryption

In your Sheepfile indicate where ES.IO can find your public key using the encrypt verb:

# Replace </path/to> with the actual path
encrypt with: '</path/to/>your.public.gpg.asc'

From now on, ES.IO is able to encrypt files locally - on the system running it - or remotely - on the remote hosts available to ES.IO through an SSH connection.

Encrypting files on the remote hosts is the most secure option but, as encryption is a CPU intensive task, it may represent a significant load on your servers. Encrypting files on the system running ES.IO saves the additional load on the remote hosts. If you copy or move your archives to the host running ES.IO using a secure protocol such as SCP, this is probably the most efficient way of encrypting them.

Local encryption

Say you'd like ES.IO to connect a remote host using SSH, create a dump of a MySQL database, compress it, move it to the localhost and encrypt it:

encrypt with: '</path/to>/your.public.gpg.asc'

host "db-host", hostname: "db.example.com"

job "db-backup" do
  resource "database", name: "my-database", host: "db-host"
  remotely as: "user" do
    mysql_dump user: "mysql-user", password: "secret"
    tar_gz delete_source: true
  end
  
  move to: "localhost", using: "scp", as: "user"
  
  locally do
    encrypt delete_source: true
  end
end

Remote encryption

The previous backup job could be run with the encryption occuring on the remote host:

encrypt with: '</path/to>//your.public.key.gpg.asc'

host "db-host", hostname: "db.example.com"

job "db-backup" do
  resource "database", name: "my-database", host: "db-host"
  remotely as: "user" do
    mysql_dump user: "mysql-user", password: "secret"
    tar_gz delete_source: true
    encrypt delete_source: true
  end
  
  move to: "localhost", using: "scp", as: "user"
end

Decrypt backup files

Using ElectricSheep.IO (electric_sheep)

ES.IO provides a CLI command to decrypt encrypted backup files. The path to the encrypted input, the desired output and the private key corresponding to the public key ES.IO used to created the backup file should be specified. For example:

electric_sheep decrypt -k /path/to/private-key.gpg /var/backups/mydb-20150624-040007.gpg mydb.tar.gz

🚧

GPG Passphrase

GPG private keys with a passphrase are not supported yet. Please preferably use the GPG client as shown below if your private key is protected with a passphrase (it should).

Using GPG

ES.IO uses standard GPG to encrypt files, thus you may use a standard GPG client to decrypt files (provided that your private key has been imported into your keyring):

gpg --output mydb.tar.gz -d /var/backups/mydb-20150624-040007.gpg

Updated less than a minute ago