zyxBackup Report
zyxBackup is a shell script, designed to perform different types of backups. It's features includes archive encryption and uploading it on server using FTP or SCP protocols. The backup script uses for encryption GPG (GNU Privacy Guard) which is the real crypto engine what can be used directly from a command prompt.
Encrypting archives is useful in those cases when backups are stored on public or untrusted servers. This article shows practical approach to this security practice which could be used for servers and desktops.
Check installed prerequisites
To test if prerequisites are installed use the command:
whereis {tar,gzip,bc,rm,touch,logger,mysqldump,gpg,mail,scp}
Generate GPG keypar
GPG key pair consist of a private key and a public key. The public key could be distributed and is used to encrypt data. The private key is kept private and is used to sign and decrypt the data.
Creating the key-par involves issuing command:
gpg --gen-key
Use the commands to get more information about the keys:
gpg --list-key gpg --list-secret-key
A sample output:
/home/dima/.gnupg/pubring.gpg ----------------------------- pub 1024D/12FE2EAF 2009-07-22 uid Dmitriy sub 2048g/7E685478 2009-07-22
The bolded string (12FE2EAF) is a Key ID which will be used in the backup script.
Important: The private key should be kept safe, because without it, the encrypted archives cannot be decrypted.
Configure zyxBackup
Once the GPG key-pars are generated, it is time to configure the backup script. Download, unpack zyxBackup and place it in /opt folder:
mkdir work && cd work wget http://cheche.free.fr/zyxBackup-0.3-81113.gz && gunzip zyxBackup-0.3-81113.gz mv zyxBackup* /opt/zyxBackup && chmod +x /opt/zyxBackup cd .. && rm -rf work
To configure zyxBackup to encrypt the backups and store them on remote server using SCP, open it and alter the below variables:
SERVERNAME="hp"; LOCALTMPDIR="/tmp"; BACKUP_FILES=1; FILES_AND_DIRS_TO_BACKUP="/home /etc /root /opt"; ENCRYPT_ARCHIVE=1; GPGKEYID="12FE2EAF"; UPLOAD_SCP=1; SCPSERVER="ip.address"; SCPUSER="bkpuser"; REMOTESCPDIR="/home/bkpuser/"; SCPOPTIONS="-q"; DELETE_LOCAL_ARCHIVE_AFTER_UPLOAD=1; CLEAN_TMP=1; LOGEMAIL=1; LOGEMAILTO="nospam@sysadmin.md";
Install backup script
Before installing the backup script the SSH keys should be generated. This process is described in article Secure existing OpenSSH installation and the following command should be issued on local machine:
ssh-keygen -t dsa scp ~/.ssh/id_dsa.pub bkpuser@ip.address:~/.ssh/authorized_keys2
After that, install the script by adding the following entry to the crontab:
1 3 * * * dima /opt/zyxBackup
The backup script will be executed daily by cron at 3.01 AM.
Testing
To test the script, run it manually:
/opt/zyxBackup
If everything is OK, the output should look like this:
08:05:22: zyxBackup v0.3 (2008-11-13) processing backup... 08:05:22: Creating archive file hp-090723.080522.tar... 08:05:22: Archiving files in hp-090723.080522.tar... 08:06:16: Compressing archive file to hp-090723.080522.tar.gz... 08:06:22: Encrypting compressed archive to hp-090723.080522.gpg... 08:06:24: Deleting hp-090723.080522.tar.gz... 08:06:24: Uploading (SCP) [hp-090723.080522.gpg] to ip.address in /home/bkpuser/... 08:07:21: Deleting hp-090723.080522.gpg... 08:07:21: End of backup. 91.15Mo backed up (Archive size : 50.42Mo). Took 0h1m59s.
To decrypt the archive, use the Key ID what was specified in backup script:
gpg -r 12FE2EAF -d -o hp-090723.080522.tar.gz hp-090723.080522.gpg
For exporting and importing the private key use the below commands:
gpg --export-secret-key -a > private.key.file.asc gpg --import --allow-secret-key-import private.key.file.asc