I have a dedicated server I use to host a few things, like friends wordpress sites, some personal websites, etc. One of the services the hosting company provides is access to a backup server via ftp, ie. they give me some free space to backup files to.
But I don’t want to just drop backup files there in plaintext–I want them to be encrypted with gpg. Enter gpg-zip!
gpg-zip is handy utility that can tar a directory and then encrypt the resulting file. That file could then be placed anywhere, and, if gpg is working properly, unless someone has access to the private key of the public key that it was encrypted with (or they were set as the recipient), they should not be able to decrypt it. It’s important to note that the encrypted file is only as secure as the private key. Obviously is someone has access to the private key then they can decrypt the file.
First, I have a key that I’m going to use for this example. Creating keys and subkeys securely is a bit beyond the scope of this article. Here’s a good blog post on creating new gpg keys, and another here.
Below is the key I will use.
# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/4FCDA707 2014-05-04
uid curtis <curtis-backups@serverascode.com>
sub 2048R/25AEB942 2014-05-04
It’s important to note that that key is not itself encrypted–it does not have a passphrase set, so it can be used by anyone who has access to a copy of the key. This is not a good thing to do with an important key, but in this case I am going to want to automate this process, and there is no good way, that I’m aware of, to have an automated process decrypt the key without the passphrase also being stored in cleartext. That being said, encrypting the file does not require the password to unlock the private key, but decrypting in an automated fashion would.
Let’s create a test directory with some files in it to gpg-zip.
# cd /tmp; mkdir test
# for i in $(seq 1 100); do echo "hi $i" > test/$i.txt; done
# ls test | wc -l
100
Now that we have a directory filled with files to backup it can be encrypted with gpg. I’m essentially encrypting the file with myself as the recipient, ie. a message to myself.
# gpg-zip --encrypt --recipient curtis-backup@serverascode.com test > test.tar.gz.gpg
# file test.tar.gz.gpg
test.tar.gz.gpg: data
I can also use gpg-zip to list the files (but obviously I can only do that if I can decrypt it):
# gpg-zip --list-archive test.tar.gz.gpg | tail
gpg: encrypted with 2048-bit RSA key, ID 25AEB942, created 2014-05-04
"curtis <curtis-backup@serverascode.com>"
test/57.txt
test/26.txt
test/84.txt
test/6.txt
test/16.txt
test/4.txt
test/18.txt
test/20.txt
test/45.txt
test/76.txt
And I can restore the files as well. I’ll do that in a restore directory.
# mkdir restore; cd restore
# gpg-zip --decrypt /tmp/test.tar.gz.gpg
gpg: encrypted with 2048-bit RSA key, ID 25AEB942, created 2014-05-04
"curtis <curtis-backup@serverascode.com>"
test/
test/22.txt
test/74.txt
test/47.txt
test/5.txt
SNIP!
Looks good. Now that I have a feeling for how gpg-zip works I can start automating my backups, encrypting them, and shipping them off to the remote ftp server.
gpg-zip is an easy way to encrypt directories. The resulting file can then be shipped across the (unencrypted) wire and stored on a remote system, and I should feel reasonably confident that unless someone surreptitiously accesses my server and steals my gpg keys, that the file will remain secure. There are a few caveats of course, but overall I think this workflow is reasonable.
If you see any mistakes or other issues with this post, please let me know in the comments. :)