Secure Offsite Backups

G5 Cyber Security

2 weeks ago

TL;DR

Back up your data to a distant server using encryption *before* sending it. This way, even if the server is compromised, your backups remain unreadable without the decryption key.

Secure Offsite Backups: A Step-by-Step Guide

Choose an Encryption Method

GPG (GNU Privacy Guard): A strong, free option. Good for individual files or directories.
OpenSSL: More complex but very flexible. Useful for encrypting entire disk images.
7-Zip/RAR with Strong Encryption: Convenient if you’re already using these tools for compression.

Generate an Encryption Key Pair (GPG Example)

This creates a public and private key. Keep your private key extremely safe!

gpg --gen-key

Follow the prompts to create a strong passphrase for your key.

Encrypt Your Data

GPG (Single File):

gpg -e -r "Your Name" filename.txt

This encrypts filename.txt using your public key, creating filename.txt.gpg.

GPG (Directory):

tar -czvf directory.tar.gz directory && gpg -e -r "Your Name" directory.tar.gz

This creates a compressed archive of the directory and then encrypts it.

OpenSSL (Example):

openssl enc aes-256-cbc -salt -in filename.txt -out filename.enc

You’ll be prompted for a password. Use a strong one!

Transfer the Encrypted Data to Your Distant Server

SCP (Secure Copy): A standard, secure method.

scp filename.txt.gpg user@server_ip:/path/to/backup/directory

SFTP (Secure File Transfer Protocol): Similar to SCP but provides more features.

rsync over SSH: Efficient for incremental backups.

Verify the Backup on the Distant Server

Log in to your distant server and check that the encrypted file exists and has a reasonable size.
Attempt a test decryption (see step 6) to ensure the transfer was successful.

Decrypt Your Data (Test Recovery)

GPG:

gpg -d filename.txt.gpg > filename.txt

You’ll be prompted for your private key passphrase.

OpenSSL:

openssl enc aes-256-cbc -d -salt -in filename.enc -out filename.txt

You’ll be prompted for the password you used during encryption.

Automate Backups (Important!)

Use cron or a similar scheduler to run your backup script regularly.
Consider using a dedicated backup tool like rsync with appropriate options for incremental backups and encryption.
Example Cron Job: Run the backup script every night at 2 AM.

0 2 * * * /path/to/your/backup_script.sh

Key Management is Crucial

Never store your private key on the backup server! Keep it offline, encrypted, and in a secure location (e.g., a hardware security module or password manager).
Consider creating multiple backups of your encryption keys.
Regularly test your recovery process to ensure you can restore data successfully.