What are my options for encrypting backups sent to remote destinations

[martin MHC]

We have regular backups generated on the WHM server and these are sent as .tar.gz files to an external depository.

There is a lot of talk on the forums about encrypting the transportation connection, but not much about encrypting the actual .tar.gz files themselves, This means that when the backup file is delivered to the other end, anyone with access to that account (Amazon / Google Drive / etc. ) have unhindered access to the backup of the entire account details and email.

I would be looking for some sort of locking mechanism on the .tar.gz generated files (perhaps using the password that is set for the account on WHM) or even better using a GPG encryptor such as Kleopatra. This would mean that anyone that has access to the depository account (Amazon / Google Drive / etc. ) does not automatically have access to the entire file/email/SQL readout of any backed up account.

I have had a look at this and can't see anything, ANYTHING that looks to do this, are there any options here?

 

[ffeingol]

As far as I know, cPanel backups can't do this. If you want to use JetBackup you 'kind of' can. If you have GDRP enabled you can set an encryption key for each account. You then need the encryption key to restore the account.

 

[cPRex]

@ffeingol is correct - there isn't a good automated way to do this with any of the tools we have included (cPanel backups) or support (JetBackup)

 

[martin MHC]

@ffeingol is correct - there isn't a good automated way to do this with any of the tools we have included (cPanel backups) or support (JetBackup)

Would there be a mechanism whereby I could edit a file and include a perl script to do this (I am quite competent with Perl) ; for example maybe editing the core CPanel backup routine to add a encryption mechanism via Perl command line? (at my own risk of course)

 

[cPRex]

Possibly? The only thing I would mention with that work is that cPanel would replace any customizations made to core files as part of the nightly update.

 

[martin MHC]

Possibly? The only thing I would mention with that work is that cPanel would replace any customizations made to core files as part of the nightly update.

I fully realise this, and this could potentially raise its own problems if CPanel makes significant changes to that codebase. Hmmm..... I will submit a feature request for this. adding PGP or similar encryption to .tar.gz file creation is extremely easy and as I said, using the existing password for the account would mean the password is consistent and not nessecarily known to the employees or owners of the destination storage location.

Cheerrs

 

[martin MHC]

This feature request seems to cover the wider scope of this aspiration: https://features.cpanel.net/topic/backups-encryption-of-backups-symmetric-and-asymmetric

 

[cPRex]

A feature request would also be a great way to go as our development team approves all those and others can vote!

 

[cPRex]

Nice find - I added my vote to that one just now.