Secure Backup with a password

[hoomb]

It is possible to secure the created "gz" file with a password, so it can be transferred to a cloud backup server or kept in another place?

[prodrigestivill]

You can use schickling/postgres-backup-s3 and upload to a S3 bucket protected using SSE (server-side-encryption) with AWS KMS.

[hoomb]

This is an option but not what I really need. I want to just have a password protected "gzip" file

[fredericoschardong]

Here is an example of that. It would be great to have this feature in this image.

[slhck]

I'm not sure if it makes sense to add it to this image itself. Since this image does not actually transfer the files and stores only them locally, there is little benefit from encrypting the files — any adversary with access to run the image could also decrypt the files directly.

You can encrypt the files before transferring them to S3 or Google Cloud with a simple script.

GOOGLE_CLOUD_STORAGE_BUCKET="my-bucket-name"

lastDailyBackup="$($find "backups/daily" -type f -printf '%T+ %p\n' | sort -r | head -n 1 | cut -d' ' -f2)"

if [[ ! -f "$lastDailyBackup" ]]; then
    echo "No latest daily backup file found!"
    exit 1
fi

if [[ -n "$BACKUP_ENCRYPTION_KEY" ]]; then
    gpg --batch --yes --passphrase "$BACKUP_ENCRYPTION_KEY" --symmetric "$lastDailyBackup"
    lastDailyBackup="$lastDailyBackup.gpg"
fi

gsutil cp -n "$lastDailyBackup" "gs://$GOOGLE_CLOUD_STORAGE_BUCKET/$dailyFileName"

[switz]

I'm not sure if it makes sense to add it to this image itself. Since this image does not actually transfer the files and stores only them locally, there is little benefit from encrypting the files — any adversary with access to run the image could also decrypt the files directly.

does the decryption/private key have to live on the server? could one not encrypt it using a public key?

this would be a really nice feature (preferably a hardened encryption over simple password protection), there's no reason to have my backups sitting on a server in plain text.