Create host-proof encrypted incremental backups from standard Unix command line utilities

kzimmermann 33fb83c444 Created a separate file to hold the configurations 8 éve
LICENSE 9cdb3428ef Init commit 9 éve
README.md 33fb83c444 Created a separate file to hold the configurations 8 éve
backup.sh 33fb83c444 Created a separate file to hold the configurations 8 éve
backuprc 33fb83c444 Created a separate file to hold the configurations 8 éve

README.md

Encrypted, incremental backups made nice and easy

Create encrypted incremental backups using standard commonly-available Unix command line utilities using this script.

By making use of strong asymmetric encryption (PGP), the backup files produced could be subsequently hosted into any online hosting service without the risk of having your data read by unintended people: they would be host-proof. You could even use Google Drive!

Instructions

This script uses gpg and common Unix archiving mechanisms to do the work. tar is the default archiver used for now, but eventually it will be possible to change it to your favorite format provided you have it installed in your machine. Make sure you've got gpg set up and have at least one strong pair of keys available to start working!

First, copy the file backuprc to your home directory under the name of .backuprc:

cp backuprc ~/.backuprc

Edit this file and change the following line to acommodate your key id (usually the email address associated to your private key). This will be the public key used to encrypt the backup, and also the associated private key with which you will recover the content later.

recipient="someone@example.com" # change it accordingly!

Now you're all set to start creating backups! Currently, only backups of a single folder work, so get one folder full of important files and run:

backup.sh --encrypt folder/

If you will back up a single folder only and would like to sign the file as well to ensure integrity, add the --sign option to it. Because you'll use your private key to sign, you will be prompted for your password.

backup.sh --sign --encrypt folder/

Your new encrypted backup will be available as folderYYYYMMDD.tar.gz.gpg, where YYYYMMDD is today's date (for a simple form of versioning). Put it somewhere safe!

Suppose you would like to recover your backup. Fetch your encrypted archive from your hideout and run:

backup.sh --decrypt folderYYYYMMDD.tar.gz.gpg

As you will be dealing with your private key again, you'll be prompted your password. After decryption is done, the file is unzipped, resulting in your original folder directory getting back to you.

Warnings

As usual, this is highly experimental software, and the warnings from the GPL apply very especially here:

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

A few tips to make these backups more reliable and sturdy:

  • Use a strong PGP key. Strong here could mean something like 4096 bits RSA, using a strong passphrase to unlock the key, storing the key somewhere safe, changing the key passphrase every random interval of time... but really, you should ask a professional cryptographer about that.
  • Choose a trustworthy host to upload the backup. Technically, the host still "has" your data (even though it can't read it) so it can still tamper with it, attempt to crack it, send it to someone else, or even be a complete chicken-shit and delete it without your consent. Even signing the file doesn't help much in this case. An honest hosting service minimizes the chances of these things happening.
  • Protect your account on a trustworthy host. Even if the host is kind-hearted, other people stalking you might not be. Keep your account safe from hacking or even create other backups elsewhere to minimize the chance of losses from thievery or stalking.

Also, just to make it clear: I am not an IT security professional. I'm a hacker who likes shell scripting. This program has not been audited from a security standpoint, and I do not guarantee it's complete safety.

Roadmap

Here's what's coming up for the future releases:

  • Ability to choose different archiving formats.
  • Ability to glob files and create archives from files in different folders.
  • Incremental backups (no need to recreate a full backup for only a few files)
  • Multiple recipients for the backup (shared encryption!)

Credits

The authors of gpg and tar and everything Unix deserve all my respect for their brilliance and effort.

backup.sh is written by Klaus Zimmermann

See the LICENSE file for more information on how can you use this program.