-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure Backup with a password #60
Comments
You can use schickling/postgres-backup-s3 and upload to a S3 bucket protected using SSE (server-side-encryption) with AWS KMS. |
This is an option but not what I really need. I want to just have a password protected "gzip" file |
Here is an example of that. It would be great to have this feature in this image. |
I'm not sure if it makes sense to add it to this image itself. Since this image does not actually transfer the files and stores only them locally, there is little benefit from encrypting the files — any adversary with access to run the image could also decrypt the files directly. You can encrypt the files before transferring them to S3 or Google Cloud with a simple script. GOOGLE_CLOUD_STORAGE_BUCKET="my-bucket-name"
lastDailyBackup="$($find "backups/daily" -type f -printf '%T+ %p\n' | sort -r | head -n 1 | cut -d' ' -f2)"
if [[ ! -f "$lastDailyBackup" ]]; then
echo "No latest daily backup file found!"
exit 1
fi
if [[ -n "$BACKUP_ENCRYPTION_KEY" ]]; then
gpg --batch --yes --passphrase "$BACKUP_ENCRYPTION_KEY" --symmetric "$lastDailyBackup"
lastDailyBackup="$lastDailyBackup.gpg"
fi
gsutil cp -n "$lastDailyBackup" "gs://$GOOGLE_CLOUD_STORAGE_BUCKET/$dailyFileName" |
does the decryption/private key have to live on the server? could one not encrypt it using a public key? this would be a really nice feature (preferably a hardened encryption over simple password protection), there's no reason to have my backups sitting on a server in plain text. |
Pretty late to the party, but I've been playing with this a while back with a small extension (added a POST_DUMP_HOOK) so that I can call a script to do the encryption with a public key. Needs some care and attention, still, and I cannot publish the encryption scripts. Basically: use openssl to generate a symmetric key, encrypt the dump with that key, encrypt the key with the public key from an X.509 cert, tar the lot with some info of how to unpack, and finally remove all temp-files |
It is possible to secure the created "gz" file with a password, so it can be transferred to a cloud backup server or kept in another place?
The text was updated successfully, but these errors were encountered: