Encrypted backups
frgtn opened this issue · 3 comments
It would be nice is pov-simple-backup
supported encrypting backups via GPG before uploading them via rsync
/scp
.
I've hacked something up for this on one server. The scheme:
- do the backup to
/backup/YYYY-MM-DD
as usual - run a python script
/usr/local/sbin/encryptdir.py
to gpg-encrypt every file in /backup/YYYY-MM-DD/* to /backup/YYYY-MM-DD-gpg/*.gpg - set
BACKUP_SUFFIX=-gpg
before runningcopy_backup_to
- add
clean_up_old_backups 7 $BACKUP_ROOT -gpg
to cleanups
The encryptdir script is here: https://gist.github.com/mgedmin/2122621333086ff116e1c90b1bb0b32a
The encryptdir wrapper I used in my /etc/pov/backup
is this:
# Encrypt backups for offsite storage
encryptdir() {
indir=$1
outdir=$2
if [ $estimate_size -eq 0 ]; then
info "Encrypting $indir to $outdir"
args=""
test $verbose -ne 0 && args="$args -v"
test $dry_run -ne 0 && args="$args -n"
/usr/local/sbin/encryptdir.py -r "$GPG_RECIPIENTS" $args $indir $outdir
fi
}
encryptdir $(backupdir) $(BACKUP_SUFFIX=-gpg backupdir)
Also note a bug(?) in dash where BACKUP_SUFFIX=-gpg copy_backup_to ...
leaves BACKUP_SUFFIX set to -gpg, because copy_backup_to is a function, and not a real command! So do
BACKUP_SUFFIX=-gpg
copy_backup_to ...
BACKUP_SUFFIX=
Also note a bug(?) in dash where BACKUP_SUFFIX=-gpg copy_backup_to ... leaves BACKUP_SUFFIX set to -gpg, because copy_backup_to is a function, and not a real command!
Fixed in #7.
The final version differs a bit from what was sketched here: it's called encrypt_dir
and it takes suffixes, not full directory names.
I hope I'm not going to regret that. (Or maybe I should start distinguishing -<suffix>
from /<path>
and accept either?)