Secure backup using public services

It often happens that there are many different projects that need to be backed up regularly.
But more often it happens that it is lazy to raise your own backup service, and copies are made at best from time to time, and at worst they are not made at all. Especially for lazy people came up with file synchronization services, such as Dropbox , Yandex.Disk and others like them. The essence is always the same: a file loaded on one bound device appears on all the others. Hurray, solution found.
But another question arises: the security of downloaded content. And if you can not worry too much about the pictures from Mallorca, then you can back up the 1C combat base so much. And here, in this article itself, there is a small HOW-TO about how to stay lazy and keep files safe.

Assumptions

When writing this HOW-TO, I assume that the reader is familiar with the basics of system administration, can independently create an account and set up a synchronization service on a remote computer. I will use the example of CentOS 6 Linux, my sites and the Dropbox service All the same can be done on other operating systems and services. And even instead of GnuPG, you can use OpenSSL.

Installing software on storage

Install and configure Dropbox

We swing and set. By the way, despite the fact that there is X11 in dependencies, you can safely install with --nodeps

[root@server ~]# wget https://www.dropbox.com/download?dl=packages/fedora/nautilus-dropbox-1.6.0-1.fedora.x86_64.rpm [root@server ~]# rpm -i --nodeps nautilus-dropbox-1.6.0-1.fedora.x86_64.rpm Dropbox installation successfully completed! You can start Dropbox from your applications menu. [root@server ~]# su user [user@server ~]$ dropbox start -i Downloading Dropbox... 100% Unpacking Dropbox... 100% Done! [user@server ~]$ dropbox stop [user@server ~]$ ~/.dropbox-dist/dropboxd This computer isnt linked to any Dropbox account... Please visit https://www.dropbox.com/cli_link?host_id=**************************************** to link this device. This computer isnt linked to any Dropbox account... Please visit https://www.dropbox.com/cli_link?host_id=**************************************** to link this device. 

Follow the link, enter the passwords, and here:

 This computer is now linked to Dropbox. Welcome ********* ^C ~/.dropbox-dist/dropboxd & [user@server ~]$ exit [root@server ~]# rpm -e nautilus-dropbox 

Installing GNUPG2 and creating keys

 [root@server ~]# yum install gpg [... skipped ...] [root@server ~]# su user 

Create a pair of keys

 [user@server ~]$ gpg --gen-key [... skipped ...] Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Backup Server Email address: backup@my.company.com Comment: Main backup server You selected this USER-ID: "Backup Server (Main backup server) <backup@my.company.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. [... skipped ...] gpg: key E4E021AB marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/E4E021AB 2014-01-29 Key fingerprint = 0FDC B999 6FEB FBB5 1E59 48BD 71C2 6663 E4E0 21AB uid Backup Server (Main backup server) <backup@my.company.com> sub 4096R/C7212824 2014-01-29 

If during the generation of gpg it will swear that there is not enough entropy, create it.
I usually go to another console and do something like:

 [user@server ~]$ while true; do find / -type f; done 

It remains only to share the public key between all participants - put it in Dropbox.

 [user@server ~]$ gpg --export -o ~/Dropbox/public.gpg 

Installing software on a reserved server

In principle, everything is the same, but you can not generate your keys.
Enough to do

 [user@server ~]$ gpg --import ~/Dropbox/public.gpg 

')

Backup process

It can be different. Each server has its own dropbox-account, and a folder that is shared (Shared folder) with a backup server. Type backu_srv1, backup_srv2 and so on. Although you can just have 1 account on all servers - it all depends on the amount of data that will be backed up.
The main "trick" is to encrypt files before putting them into Dropbox.
Below is an example of a script backing up the mysql database.

 #!/bin/sh FILE="~/Dropbox/backup_srv1/mysql_$(date +%d.%m.%y).sql.gz.gpg" LOG="~/scripts/backup.log" USER="************" PASS="************" DB="**********" KEY="0xE4E021AB" export PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/core_perl mysqldump -u${USER} -p${PASS} $DB|gzip -c|gpg --trust-model=always --yes -e -r $KEY -o "$FILE" && echo "$FILE : OK" >> "$LOG" && exit echo "$FILE : ERROR" >> "$LOG" && exit 

Pay attention to KEY - this is the public key ID, which we obtained in step 2 and imported into / to the server.

Actually, everything. Backups are synchronized via Dropbox, while the data is not available to anyone, because the public key can only be encrypted, and the private key is only in the repository.

Further use of backups

Possible options. You can decrypt all received backups and put them somewhere, you can store them encrypted until “X” hour. It's a matter of taste. The only thing I recommend is to have several copies of the private key, including on A4 paper in an envelope in the safe. If you lose all other options, you will fill many-many characters with a piece of paper.

 [user@server ~]$ gpg --armor --export-secret-keys 

Oh yes. Decoding itself.

 [user@server backup_srv1]$ gpg -o ~/mysql_29.01.14.sql.gz -d mysql_29.01.14.sql.gz.gpg  -      : "Backup Server (Main backup server) <backup@my.company.com>" 4096- RSA , ID C7212824,  2014-01-29 (  ID E4E021AB) gpg:  4096-  RSA,  ID C7212824,  2014-01-29 "Backup Server (Main backup server) <backup@my.company.com>" 

And now - the important thing:
Do not decrypt your backups in folders that are synchronized with Dropbox!

Instead of conclusion

If you, after reading this article, ran to register an account on any service and generate keys, then you are one of those who are already doing backups. Congratulations!
If you are still lazy - do not despair, you will find a great experience and a lot of adrenaline. Someday
And if you wanted to find out what else gnupg can do - you can look here.

-
8033A3EF / DBD1 B794 73AD 3A5C 9279 A8E1 16B5 6AA3 8033 A3EF