Secure Offsite Backups

TL;DR

Back up your data to a distant server using encryption *before* sending it. This way, even if the server is compromised, your backups remain unreadable without the decryption key.

Secure Offsite Backups: A Step-by-Step Guide

1. Choose an Encryption Method
• GPG (GNU Privacy Guard): A strong, free option. Good for individual files or directories.
• OpenSSL: More complex but very flexible. Useful for encrypting entire disk images.
• 7-Zip/RAR with Strong Encryption: Convenient if you’re already using these tools for compression.
2. Generate an Encryption Key Pair (GPG Example)

This creates a public and private key. Keep your private key extremely safe!

gpg --gen-key

Follow the prompts to create a strong passphrase for your key.

3. Encrypt Your Data
• GPG (Single File):

gpg -e -r "Your Name" filename.txt

This encrypts filename.txt using your public key, creating filename.txt.gpg.

• GPG (Directory):

tar -czvf directory.tar.gz directory && gpg -e -r "Your Name" directory.tar.gz

This creates a compressed archive of the directory and then encrypts it.

• OpenSSL (Example):

openssl enc aes-256-cbc -salt -in filename.txt -out filename.enc

You’ll be prompted for a password. Use a strong one!

4. Transfer the Encrypted Data to Your Distant Server
• SCP (Secure Copy): A standard, secure method.

scp filename.txt.gpg user@server_ip:/path/to/backup/directory

• SFTP (Secure File Transfer Protocol): Similar to SCP but provides more features.
• rsync over SSH: Efficient for incremental backups.
5. Verify the Backup on the Distant Server
• Log in to your distant server and check that the encrypted file exists and has a reasonable size.
• Attempt a test decryption (see step 6) to ensure the transfer was successful.
6. Decrypt Your Data (Test Recovery)
• GPG:

gpg -d filename.txt.gpg > filename.txt

You’ll be prompted for your private key passphrase.

• OpenSSL:

openssl enc aes-256-cbc -d -salt -in filename.enc -out filename.txt

You’ll be prompted for the password you used during encryption.

7. Automate Backups (Important!)
• Use cron or a similar scheduler to run your backup script regularly.
• Consider using a dedicated backup tool like rsync with appropriate options for incremental backups and encryption.
• Example Cron Job: Run the backup script every night at 2 AM.

0 2 * * * /path/to/your/backup_script.sh

8. Key Management is Crucial
• Never store your private key on the backup server! Keep it offline, encrypted, and in a secure location (e.g., a hardware security module or password manager).
• Consider creating multiple backups of your encryption keys.
• Regularly test your recovery process to ensure you can restore data successfully.