rubackup - ruby based backup program for Linux
This module provides support for encrypting local backups created by rubackup using GnuPG. GnuPG implements public key encryption. This is very attractive as the key which performs the encryption every time the backup is created is the public key, and it does not have to be secret. The private key is used to decrypt your backup. This should happen only when you want to restore or test a backup. You won’t need to access the private key very often, and hence you can leave the private key in a very secure place.
This is an
encrypt module which means it must be combined with a
backup module in a backup entry. The
backup module will produce a
backup file locally and this module will then encrypt the local backup
The public key must be installed on all server running rubackup. But this is not a problem as the public key does not have to be secret. The private key must be secret and hence it must be managed very carefully. For ideal security the key pair should be generated on an offline computer then copied on DVD or USB supports and stored in a safe deposit box. As you may have to use the private key time to time to decrypt your backup, you can also copy the private key to a smart card such as a yubikey-neo. The smart card has to be connected to a USB port whenever you want to decrypt a file. The hardware smart card performs the decryption and hence the private key is never visible by the computer even if it had been compromised. It is also recommended to generate a master key and multiple subkeys in order to be able to change the encryption subkey without having to also change the master key.
This module only requires one configuration argument which provides the
name of the recipient so GnuPG can determine which public key must be
used to perform the encryption. You can use the optional
argument if you have to pass other options to the
Naturally the GnuPG application must have been installed on the system, and the keys must have been imported by the root user so GnuPG can find it. The GnuPG key management is out of the scope of this manual so you should read the GnuPG manual if necessary.
Here is a full example which shows how to use this module in the configuration in order to encrypt a backup previously created by the tarball module.
--- global: day_of_week: Fri day_of_month: 1 schedules: my_schedule: daily: 7 weekly: 5 monthly: 12 entries: awstats: backup_type: ModuleBackupTarball backup_opts: includes: - /data/awstats backup_schedule: my_schedule bakfile_dir: /backup/backup-web bakfile_owner: root bakfile_group: root bakfile_mode: 0600 bakfile_basename: webbkp-awstats-data encrypt_type: ModuleEncryptGnupg encrypt_opts: recipient: 'John Smith' command_opts: - '--utf8-strings' - '-z0'