Protect Your Linux Backups with Encryption

- - 1 comment
If you work with important data on your Linux servers or desktops it is very important that you take regular backups. We have covered some backup tools and solutions that will help you do that.

Assuming you have a backup strategy and implementation in place, another important thing you need to worry about is the safety of your backups themselves. Safety includes two important factors. The first is the storage device or devices on which you store them. The other is to make sure that even if someone gets hold of your backups he can't look at the data.

Let's look at how to secure your backups so that anyone snooping around your system or backups drives cannot steal your valuable information. This can be done using encryption. As an extra layer of security we will encrypt your backups using gpg (Gnu Privacy Guard). gpg is an open source encryption software which ships with almost all flavors of Linux and UNIX. It's quite simple to use and provides several useful options. Let's take a look at how you can use it to secure your backups.

Encrypt Your Files:

The simplest usage of gpg is when you want to encrypt a single file. It could be a text file, a music file, or even an archived zip or tar.gz file. You can use a command like this:

# gpg -c
Enter passphrase:
Repeat passphrase:
You will then be asked to enter a passphrase, which is basically a password that you can use to unlock the encrypted file. Enter it twice. Note that this passphrase is case sensitive. Once you are done you will find a new file in the folder you are in. It will be called something like "". This is the encrypted version of the file "". Now you can delete the original file so that your data is safe. If you don't delete the original file it beats the purpose of encrypting the file in the first place.

NOTE: Make it a point to note down the password you use someplace safe. If you forget your passphrase there pretty much no way to recover your data. You don't want that to happen.

Decrypt Your Files:

When you want to recover your files you will need to summon gpg again. Get into the folder where you have placed your encrypted backup file "". Execute the following command to decrypt it:

# gpg
gpg: CAST5 encrypted data
Enter passphrase:
At this point you will need to enter the passphrase that you set up during the encryption process. Once you enter it you will find the original file "" appear in the same folder.

Using in a Script:

Sometimes you might want to use the encryption process in your scripts, for example in your backups script. The method I showed you only works when you manually enter the password. In such a case embed the following line into your script. One issue with this approach is that the script will contain a clear text version of your passphrase. Also, replace the "" with the correct file name of the backup file or the relevant variable such as "$backupfile".

# echo | gpg –passphrase-fd 0 -c
The other line you should add to your script is one that will delete the original backup file once it's done encrypting.

Possible Issues:

The encryption process requires a lot of calculation, and therefore uses up a lot of your CPU resources. There are times when you are encrypting a large file when you will find a spike in your CPU usage. If you are automating the encryption process during your nightly backups you should make sure that this resource is available on the machine you are running your encryption on. Otherwise you might land up with too much load, affecting other important processes.

Choosing File Names:

There are a few other options that you can use in gpg. For example, during the encryption process if you want to specify the filename of the encrypted file you can do so. Use the following example to do it:

# gpg -c -o backup.enc
Similarly, you can specify the file name you want to have the decryption process write to, using the following command:

# gpg -o backup.enc

Written by: Sukrit Dhandhania, FOSS advocate and regular contributor for TechSource.

1 comment