Encrypted backups

[frgtn]

It would be nice is pov-simple-backup supported encrypting backups via GPG before uploading them via rsync/scp.

[mgedmin]

I've hacked something up for this on one server. The scheme:

• do the backup to /backup/YYYY-MM-DD as usual
• run a python script /usr/local/sbin/encryptdir.py to gpg-encrypt every file in /backup/YYYY-MM-DD/* to /backup/YYYY-MM-DD-gpg/*.gpg
• set BACKUP_SUFFIX=-gpg before running copy_backup_to
• add clean_up_old_backups 7 $BACKUP_ROOT -gpg to cleanups

The encryptdir script is here: https://gist.github.com/mgedmin/2122621333086ff116e1c90b1bb0b32a

The encryptdir wrapper I used in my /etc/pov/backup is this:

# Encrypt backups for offsite storage
encryptdir() {
    indir=$1
    outdir=$2
    if [ $estimate_size -eq 0 ]; then
        info "Encrypting $indir to $outdir"
        args=""
        test $verbose -ne 0 && args="$args -v"
        test $dry_run -ne 0 && args="$args -n"
        /usr/local/sbin/encryptdir.py -r "$GPG_RECIPIENTS" $args $indir $outdir
    fi
}
encryptdir $(backupdir) $(BACKUP_SUFFIX=-gpg backupdir)

Also note a bug(?) in dash where BACKUP_SUFFIX=-gpg copy_backup_to ... leaves BACKUP_SUFFIX set to -gpg, because copy_backup_to is a function, and not a real command! So do

BACKUP_SUFFIX=-gpg                  
copy_backup_to ...
BACKUP_SUFFIX=                             

[mgedmin]

Also note a bug(?) in dash where BACKUP_SUFFIX=-gpg copy_backup_to ... leaves BACKUP_SUFFIX set to -gpg, because copy_backup_to is a function, and not a real command!

Fixed in #7.

[mgedmin]

The final version differs a bit from what was sketched here: it's called encrypt_dir and it takes suffixes, not full directory names.

I hope I'm not going to regret that. (Or maybe I should start distinguishing -<suffix> from /<path> and accept either?)