Encrypted files with Flexbackup

Published by cybso on
This is a post from my original site, which was hosted by the former blog service of the University of Osnabrück. I have moved it to the new site for archiving. Pages linked in this article may no longer work today, and the blog comments under the article no longer exist. Opinions expressed in this article reflect the point of view of the time of publication and do not necessarily reflect my opinion today.

Flexbackup is a very nice and flexible tool to create full, incremental and differential backups. But if you store your backups in an untrusted environment you might want do encrypt the created archive files. Flexbackup cannot handle it by default, but there is a very simple way to get the desired results by replacing the default gzip binary with a wrapper file.

In this example I'm using mcrypt with symmetric block cipher DES. Replace it with gnupg if you want asymmetric encryption, but remember: if someone gains root access to read the key he doesn't need to decrypt your backup files - he already has access to the originals.

Create a file named /usr/local/bin/gzip_crypt:

#!/bin/sh
gzip $* | mcrypt -a des --keyfile "$HOME/mcrypt.key"

Another example that uses 256-Bit-AES-Encryption:

#!/bin/sh
gzip $* | ccencrypt --keyfile "$HOME/mcrypt.key"

Make this file executable:

$ chmod 0755 /usr/local/bin/gzip_crypt

Store an encryption key in $HOME/mcrypt.key, e.g. /root/mcrypt.key. I would suggest to use at least 16 random characters for it, see the manpage of mcrypt for details. Ensure that the key isn't readable for someone else:

$ chmod 0600 "$HOME/mcrypt.key"

Don't - DON'T, DON'T, DON'T - enter the key as command line argument to mcrypt as it would be visible in the process list for every user while mcrypt is running!

Now edit your flexbackup.conf and change the following options to these values:

$compress = 'gzip';
$comp_log = 'bzip2'; # or just 'false', gzip_crypt isn't able to handle this
$path{'gzip'} = '/usr/local/bin/gzip_crypt';

That's it:

$ flexbackup -set home
...lot of stdout stuff here...
$ file home.0.201101141830.tar.gz
home.0.201101141830.tar.gz: mcrypt 2.5 encrypted data, algorithm: des, keysize: 8 bytes, mode: cbc,

Use mdecrypt --key "$HOME/mcrypt.key" home.0.201101141830-decrypted.tar.gz to decrypt the file.