Open rayderua opened 3 years ago
I would also love that. The backups are currently uploaded to S3, and they contain sensitive data. I already do that for other backups. For MariaDB i do something like mariabackup ... | zstd | gpg --encrypt -r --batch --yes --output myfile.gpg I will see maybe i can add it sometime in the future and add a PR. It shouldn't be too difficult because golang has crypto/openpgp package already.
Do you want exactly GPG encryption? I'm thinking of adding AES encryption.
The nice thing about GPG, is the asymmetric encryption. We generated a 4096-bit RSA pair (public and private), but we only keep the public key in the server. This allows for encryption only. The private key is kept elsewhere, somewhere safe, in case we'll ever need to decrypt these backups. The main use is not just backup, but also protection against cyber and ransomware, thanks to the S3's object lock (retention, compliance mode). This and the glacier storage class allow for long-term backups that are safe against cyber / ransom attacks.
Asymmetric encryption (GPG) is much slower than symmetric encryption (AES). So usually asymmetric encryption is used for establishing secure connections only, but symmetric encryption is used for transmitting large data. For example, this method is used in https. Thus symmetric encryption is more suitable for encrypting backups I think.
I totally agree with mastertheknife. The main idea is to keep the private key in a secure place and get secure backups. I am willing to sacrifice time for the sake of security.
Asymmetric encryption (GPG) is much slower than symmetric encryption (AES).
While that is true, GPG uses hybrid encryption under the hood. It generates a random key and IV, uses those to encrypt your payload using AES or another symmetric cipher and then encrypts the key and IV using RSA / ECDH / other algorithms.
WAL-G is also written in Go and it supports the encryption of incremental backups using libsodium and OpenPGP, it may help to take a look at the implementation.
It would be just great if we could encrypt backups with a GPG key