File encryption

Encrypt backup files using GPG

File encryption is not to be confused with credentials encryption. You should use a different key pair for both use cases. See our Introduction to encryption for more.

encrypt (shell-level)

Typical usage

Encrypt a file

host "app-host", hostname: "www.example.com"

job "config-backup" do
  resource "file", path: "/etc/config/file", host: "app-host"
  remotely as: "user" do
    encrypt with: '/path/to/public_key'
  end
end

📘

Public key deployment

Please note that you don't have to deploy the public key on the remote server, only on the machine running ES.IO. Thus the path to the public key should point to the public key on the machine running it.

Input resources

Resources of type file are allowed. Use a compression command if you need to encrypt the contents of a directory.

Output resource

A resource of type file.

Command options

OptionDescription
withThe path to the public key, on the machine running ES.IO.Required: yes
The option can be specified globally (see below).
delete_sourceIndicate whether the source file should be deleted after encryption. Use with caution.Required: no
Defaults to: false

encrypt (top-level)

When used at the top-level of the Sheepfile, encrypt allows you to specify a default GPG public key to use for all your backup jobs.

Typical usage

Encrypt a file

encrypt with: '/path/to/public_key'

host "app-host", hostname: "www.example.com"

job "config-backup" do
  resource "file", path: "/etc/config/file", host: "app-host"
  remotely as: "user" do
    encrypt
  end
end