Backup encryption?

Hi all,

I just wanted to check on the status of my feature request a while back about encrypting backups before they are uploaded offsite. Just curious if this has made it to the table yet to be considered?

Status: 
Active

Comments

Sorry, no .. we don't have any support for backup encryption yet.

The best way to do it right now would be to have Virtualmin backup to a local directory, and then write a post-backup script that does the encryption and then uploads to the remote destination.

We haven't done any work on it yet ..

Hey Jamie,

I went ahead and wrote my own bash script that does it. I changed the backups to write to a local folder, then to call this script with either "full" or "incremental" after the backups are finished depending on which backup ran. It creates a tar of the whole folder, and uses standard GPG keys to encrypt the tar file. It then does an md5sum check between the local backup and the offsite backup it uploaded, deletes the local copies, and also deletes any files older than 7 days on the offsite location.

Works great for what I specifically need. Feel free to adopt it to add this feature if you think itll be helpful :-)

Note that you will more than likely need to edit the fields that are being gawked out for the remote backup server, as the server I use for remote backups is running freebsd, and the "md5" command spits back different fields than Redhat's md5sum.


#!/bin/bash
today=`date +%Y-%m-%d`
fullpath="/root/backup/full"
incrementalpath="/root/backup/incremental"

if [ "$1" == "full" ]
then

tar -cvf /root/$today-full.tar $fullpath
mv /root/$today-full.tar $fullpath/$today-full.tar

if [ $? -eq 0 ]
then
gpg -r keyname --output $fullpath/$today-full.tar.enc --encrypt $fullpath/$today-full.tar
md5=`md5sum $fullpath/$today-full.tar.enc | gawk '{print $1}'`

scp $fullpath/$today-full.tar.enc username@backup.server.com:/usr/home/username/backup/full/

md5up=`ssh username@backup.server.com "md5 /usr/home/username/backup/full/'$today'-full.tar.enc" | gawk '{print $4}'`

if [ "$md5" != "$md5up" ]
then
echo "$today-full.tar.enc failed md5 check" | /bin/mail -s "Server Backup Failure" "alert@email.com"
else
ssh username@backup.server.com 'find /usr/home/username/backup/full/ -type f -mtime +7 -delete'
rm -f /root/backup/full/*
fi
else
echo "$today-full.tar.enc failed tar creation" | /bin/mail -s "Server Backup Failure" "alert@email.com"
fi
fi

if [ "$1" == "incremental" ]
then

tar -cvf /root/$today-incremental.tar $incrementalpath
mv /root/$today-incremental.tar $incrementalpath/$today-incremental.tar

if [ $? -eq 0 ]
then
gpg -r keyname --output $incrementalpath/$today-incremental.tar.enc --encrypt $incrementalpath/$today-incremental.tar
md5=`md5sum $incrementalpath/$today-incremental.tar.enc | gawk '{print $1}'`

scp $incrementalpath/$today-incremental.tar.enc username@backup.server.com:/usr/home/username/backup/incremental/

md5up=`ssh username@backup.server.com "md5 /usr/home/username/backup/incremental/'$today'-incremental.tar.enc" | gawk '{print $4}'`

if [ "$md5" != "$md5up" ]
then
echo "$today-incremental.tar.enc failed md5 check" | /bin/mail -s "Server Backup Failure" "alert@email.com"
else
ssh username@backup.server.com 'find /usr/home/username/backup/incremental/ -type f -mtime +7 -delete'
rm -f /root/backup/incremental/*
fi
else
echo "$today-incremental.tar.enc failed tar creation" | /bin/mail -s "Server Backup Failure" "alert@email.com"
fi
fi

Did you also look at the duply/duplicity combo?

I've never heard of duply. I just decided to roll my own :-)

It would be an awesome feature if Virtualmin did this out of the box :)