In order to safely store backups in a public cloud storage, which is not under own control, it’s a good idea to use file encryption to secure your data before upload. One way to do this is using GPG ( or GNUPG).
Using GPG you can use public key signing to do the file encryption. When you use a public key for the encryption, it means that you do not need to store passwords in your backup scripts, rather you are just using a public key for the encryption, and can store the private key in a secure place, away from the data you are protecting – thus giving you an extra layer of protection.
This tutorial is based on the tutorial created by IBM, which can be found here, and this tutorial on GoLinuxCloud and amended to suit my own needs.
Prerequisites
This guide will allow you to set up file encryption under MacOS, currently based on macOS Catalina, but should also work under macOS Big Sur and newer.
The tools needed are installed using Homebrew (or brew.sh) and are as follows
- GNUPG
Creating the private and public keys
We start by creating the private and public keys, for this you need the following information:
- Name: The name of the owner of the key
- Email: The e-mail address of the key owner
- Passphrase: The password that will protect the keys
From the command line / Terminal run the following command:
$ gpg --gen-key
Fill in the “name” and “e-mail” when prompted, then verify the information and type “O” to accept.
Then enter your passphrase when prompted. (Remember to store this in a safe place – without it, you won’t be able to decrypt your encrypted files.
You have now created they public and private keys needed and they are stored in the ~/.gpg folder.
To list the keys in your store, run the following command:
$ gpg --list-keys
Exporting and Importing Public Keys
In order to be able to use the Public key you have just created to encrypt files, it needs to be transferred to the machine where you run the encryption.
To export the key, run the following command:
$ gpg --export --armor --output name_of_output.asc user@domain.tld
This will output the public key for the key with the Email of “user@domain.tld” to the file “name_of_output.asc”. The output file name can include the path as well – if no path is specified, the file will be created in the same folder as where the command is run.
The exported file can then be transferred to the machine where it’s needed.
To import the key, run the following command:
$ gpg --import name_of_output.asc
Note, that they key will be imported into the key store, for the user which was used to run the command.
Usually backup scripts are run by a specific user, so we need to run the import as this user, in order to make it available for the backup scripts.
To verify that the key has been installed correctly run the following command:
$ gpg --list-keys
In order for the script to run silent we need to specify the trust for the key. To do this, run the following command:
$ gpg --edit-key "user@domain.tld"
Using the e-mail address we used when creating the key set.
Now type the following commands:
- trust: Enter the trust settings
- 5: “I trust ultimately”
- y: Accept the changes
- quit: End the gpg util.
We should now be set to use GPG to encrypt files on the machine, which can then be transferred to off-site storage location, without the external host being able to read the files.
To encrypt a file run the following command:
$ gpg --encrypt --recipient user@domain.tld --output "/path/name_of_output.gpg" "/path/name_of_input.ext"
To decrypt the file you need to have the Private Key available in your GPG key store, then run the following command:
$ gpg --decrypt name_of_input.gpg --output name_of_output.ext
GPG will automatically match the Public key, and then prompt you for the passphrase, which is needed in order to decode the file.
You should now be all set to encrypt backups before uploading to a public cloud storage provider.