Secure backup on remote server using zyxBackup and GPG



zyxBackup Report

zyxBackup is a shell script, designed to perform different types of backups. It's features includes archive encryption and uploading it on server using FTP or SCP protocols. The backup script uses for encryption GPG (GNU Privacy Guard) which is the real crypto engine what can be used directly from a command prompt.

Encrypting archives is useful in those cases when backups are stored on public or untrusted servers. This article shows practical approach to this security practice which could be used for servers and desktops.

Check installed prerequisites

To test if prerequisites are installed use the command:

whereis {tar,gzip,bc,rm,touch,logger,mysqldump,gpg,mail,scp}

Generate GPG keypar

GPG key pair consist of a private key and a public key. The public key could be distributed and is used to encrypt data. The private key is kept private and is used to sign and decrypt the data.
Creating the key-par involves issuing command:

gpg --gen-key

Use the commands to get more information about the keys:

gpg --list-key
gpg --list-secret-key

A sample output:

/home/dima/.gnupg/pubring.gpg
-----------------------------
pub   1024D/12FE2EAF 2009-07-22
uid                  Dmitriy
sub   2048g/7E685478 2009-07-22

The bolded string (12FE2EAF) is a Key ID which will be used in the backup script.

Important: The private key should be kept safe, because without it, the encrypted archives cannot be decrypted.

Configure zyxBackup

Once the GPG key-pars are generated, it is time to configure the backup script. Download, unpack zyxBackup and place it in /opt folder:

mkdir work && cd work
wget http://cheche.free.fr/zyxBackup-0.3-81113.gz && gunzip zyxBackup-0.3-81113.gz
mv zyxBackup* /opt/zyxBackup && chmod +x /opt/zyxBackup
cd .. && rm -rf work

To configure zyxBackup to encrypt the backups and store them on remote server using SCP, open it and alter the below variables:

SERVERNAME="hp";
LOCALTMPDIR="/tmp";

BACKUP_FILES=1;
FILES_AND_DIRS_TO_BACKUP="/home /etc /root /opt";

ENCRYPT_ARCHIVE=1;
GPGKEYID="12FE2EAF";

UPLOAD_SCP=1;
SCPSERVER="ip.address";
SCPUSER="bkpuser";
REMOTESCPDIR="/home/bkpuser/";
SCPOPTIONS="-q";

DELETE_LOCAL_ARCHIVE_AFTER_UPLOAD=1;
CLEAN_TMP=1;

LOGEMAIL=1;
LOGEMAILTO="nospam@sysadmin.md";

Install backup script

Before installing the backup script the SSH keys should be generated. This process is described in article Secure existing OpenSSH installation and the following command should be issued on local machine:

ssh-keygen -t dsa
scp ~/.ssh/id_dsa.pub bkpuser@ip.address:~/.ssh/authorized_keys2

After that, install the script by adding the following entry to the crontab:

1 3 * * * dima /opt/zyxBackup

The backup script will be executed daily by cron at 3.01 AM.

Testing

To test the script, run it manually:

/opt/zyxBackup

If everything is OK, the output should look like this:

08:05:22: zyxBackup v0.3 (2008-11-13) processing backup...
08:05:22: Creating archive file hp-090723.080522.tar...
08:05:22: Archiving files in hp-090723.080522.tar...
08:06:16: Compressing archive file to hp-090723.080522.tar.gz...
08:06:22: Encrypting compressed archive to hp-090723.080522.gpg...
08:06:24: Deleting hp-090723.080522.tar.gz...
08:06:24: Uploading (SCP) [hp-090723.080522.gpg] to ip.address in /home/bkpuser/...
08:07:21: Deleting hp-090723.080522.gpg...
08:07:21: End of backup. 91.15Mo backed up (Archive size : 50.42Mo). Took 0h1m59s.

To decrypt the archive, use the Key ID what was specified in backup script:

gpg -r 12FE2EAF -d -o hp-090723.080522.tar.gz hp-090723.080522.gpg

For exporting and importing the private key use the below commands:

gpg --export-secret-key -a > private.key.file.asc
gpg --import --allow-secret-key-import private.key.file.asc