Recipe 7.25 Encrypting Backups
7.25.1 Problem
You want to create an encrypted
backup.
7.25.2 Solution
Method 1: Pipe through gpg.
To write a tape: $ tar cf - mydir | gpg -c | dd of=/dev/tape bs=10k To read a tape: $ dd if=/dev/tape bs=10k | gpg --decrypt | tar xf - To write an encrypted backup of directory mydir
onto a CD-ROM: #!/bin/sh
mkdir destdir
tar cf - mydir | gpg -c > destdir/myfile.tar.gpg
mkisofs -R -l destdir | cdrecord speed=${SPEED} dev=${SCSIDEVICE} -where SPEED and SCSIDEVICE
are specific to your system; see cdrecord(1).
Method 2: Encrypt files separately.
Make a new directory containing links to your original files: $ cp -lr mydir newdir In the new directory, encrypt each file, and remove the links to the
unencrypted files: $ find newdir -type f -exec gpg -e '{}' \; -exec rm '{}' \;Back up the new directory with the encrypted data: $ tar c newdir
7.25.3 Discussion
Method 1 produces a backup that may be considered fragile: one big
encrypted file. If part of the backup gets corrupted, you might be
unable to decrypt any of it.
Method 2 avoids this problem. The cp -l option
creates hard links, which can only be used within
a single filesystem. If you want the encrypted files on a separate
filesystem, use symbolic links instead:
$ cp -sr /full/path/to/mydir newdir
$ find newdir -type l -exec gpg -e '{}' \; -exec rm '{}' \;
Note that a full, absolute pathname must be used for the original
directory in this case.
gpg does not preserve the owner, group,
permissions, or modification times of the files. To retain this
information in your backups, copy the attributes from the original
files to the encrypted files, before the links to the original files
are deleted:
# find newdir -type f -exec gpg -e '{}' \; \
-exec chown --reference='{}' '{}.gpg' \;
-exec chmod --reference='{}' '{}.gpg' \;
-exec touch --reference='{}' '{}.gpg' \;
-exec rm '{}' \;
Method 2 and the CD-ROM variant of method 1 use disk space (at least
temporarily) for the encrypted files.
7.25.4 See Also
gpg(1), tar(1), find(1), cdrecord(1).
|
