Browse: Home / , / Secure backup with zyxBackup

Secure backup with zyxBackup

By sysadmin on 19/02/2010


When backups are stored on public or untrusted servers it is important to secure them. zyxBackup is a shell script, designed to perform different types of backups that include useful features like archive encryption, FTP/SCP uploading and email notification.

Cheatsheet shows practical approach to this security practice which could be used for servers and desktops:

Check installed prerequisites

To test if prerequisites are installed use the command:

whereis {tar,gzip,bc,rm,touch,logger,mysqldump,gpg,mail,scp}

Generate GPG keypar

GPG key pair consist of a private key and a public key. The public key could be distributed and is used to encrypt data. The private key is kept private and is used to sign and decrypt the data. More info about GPG commands you can gain in GPG Cheatsheet.
Create key-par:

gpg --gen-key

Get more information about the keys:

gpg --list-key
gpg --list-secret-key

A sample output:

/home/user/.gnupg/pubring.gpg
-----------------------------
pub   1024D/12FE2EAF 2009-07-22
uid                  Dmitri
sub   2048g/7E685478 2009-07-22

12FE2EAF is a Key ID which will be used in the backup script.
Keep private key in a safe place, because without it, the encrypted archives cannot be decrypted.

Install zyxBackup

Download, unpack zyxBackup and place it in /opt folder:

mkdir work && cd work
wget http://cheche.free.fr/zyxBackup-0.3-81113.gz && gunzip zyxBackup-0.3-81113.gz
mv zyxBackup* /opt/zyxBackup && chmod +x /opt/zyxBackup
cd .. && rm -rf work

Configure zyxBackup

Open the file /opt/zyxBackup open it and alter variables:

SERVERNAME="domain.tld";
LOCALTMPDIR="/tmp";

BACKUP_FILES=1;
FILES_AND_DIRS_TO_BACKUP="/home /etc /root /opt";

ENCRYPT_ARCHIVE=1;
GPGKEYID="Key ID"; # use command gpg --list-key to get this

UPLOAD_SCP=1;
SCPSERVER="ip.add.re.ss";
SCPUSER="backup_user";
REMOTESCPDIR="/home/backup_user/";
SCPOPTIONS="-q";

DELETE_LOCAL_ARCHIVE_AFTER_UPLOAD=1;
CLEAN_TMP=1;

LOGEMAIL=1;
LOGEMAILTO="email@domain.tld";

Setup for automatic backups

Generate SSH keys. Use cheatsheet Public-key authentication over ssh for reference.
Install the script by adding the following entry to the /etc/crontab:

1 3 * * * user /opt/zyxBackup

The backup script will be executed daily by cron at 3.01 AM.

Test

To test the script, run it manually:

/opt/zyxBackup

If everything is OK, you should get an email similar to above screenshot

To decrypt the archive, use the Key ID what was entered in backup script:

gpg -r 12FE2EAF -d -o domain.tld-090723.080522.tar.gz domain.tld-090723.080522.gpg

Posted in , | Tagged , , , , , , ,

Leave a Reply