Migrated to GPG

This commit is contained in:
Marco Cetica 2023-10-10 11:59:37 +02:00
parent 73736e3004
commit 5fade8eda0
No known key found for this signature in database
GPG Key ID: 7C7F63D4B26A4D5B
3 changed files with 102 additions and 68 deletions

View File

@ -2,10 +2,12 @@
`backup.sh` is a POSIX compliant, modular and lightweight backup utility to save and encrypt your files.
This tool is intended to be used on small scale UNIX environments such as VPS, personal servers and
workstations. `backup.sh` uses [rsync](https://linux.die.net/man/1/rsync), [tar](https://linux.die.net/man/1/tar)
and [openssl](https://linux.die.net/man/1/openssl) to copy, compress and encrypt the backup.
and [gpg](https://linux.die.net/man/1/gpg) to copy, compress and encrypt the backup.
While `backup.sh` should work in any POSIX compliant environment, the official supported operating systems are:
While `backup.sh` should work in any POSIX compliant environment,
`backup.sh` should work in any POSIX compliant environment, and it's successfully being used on
- GNU/Linux;
- OpenBSD
- FreeBSD;
- Apple MacOS.
@ -22,7 +24,7 @@ you can issue `sudo make uninstall`.
At this point you still need to install the following dependencies:
- `rsync`
- `tar`
- `openssl`
- `gpg`
## Usage
To show the available options, you can run `backup.sh --help`, which will print out the following message:
@ -91,11 +93,15 @@ The backup utility will begin to copy the files defined in the _sources file_:
```text
Copying nginx(1/2)
Copying ssh(2/2)
Compressing and encrypting backup...
Elapsed time: 10 seconds.
Compressing backup...
Encrypting backup...
File name: /home/marco/backup-<HOSTNAME>-<YYYYMMDD>.tar.gz.enc
File size: 7336400696(6.9G)
File hash: 0e75ca393117f389d9e8edfea7106d98
Elapsed time: 259 seconds.
```
After that, you will find the final backup archive in `/home/john/backup-<HOSTNAME>-<YYYMMDD>.tar.gz.enc`.
After that, you will find the final backup archive in `/home/john/backup-<HOSTNAME>-<YYYYMMDD>.tar.gz.enc`.
You can also use `backup.sh` from a crontab rule:
```sh
@ -120,7 +126,7 @@ Where `<ENCRYPTED_ARCHIVE>` is the encrypted backup and `<ARCHIVE_PASSWORD>` is
For instance:
```sh
$> ./backup.sh --extract backup-<hostname>-<YYYMMDD>.tar.gz.enc badpw1234
$> ./backup.sh --extract backup-<hostname>-<YYYYMMDD>.tar.gz.enc badpw1234
```
This will create a new folder called `backup.sh.tmp` in your local directory. Be sure to rename any directory
@ -131,44 +137,46 @@ backup-ssh-<YYYYMMDD>
```
## How does `backup.sh` work?
`backup.sh` uses **rsync** to copy the files, **tar** to compress the backup and **openssl**
to encrypt it. By default, rsync is being used with the following parameters:
```sh
## How does backup.sh work?
**backup.sh** uses _rsync_ to copy the files, _tar_ to compress the backup and _gpg_ to encrypt it.
By default, rsync is being used with the following parameters:
```
$> rsync -aPhrq --delete
```
That is:
- `-a`: **archive mode**: rsync copies files recursively while preserving as much metadata
as possible;
- `-P`: **progress/partial**, this allows rsync to resume interrupted transfers and to
shows progress information;
- `-h`: **human readable output**: rsync shows output numbers in a more readable way;
- `-r`: **recursive mode**: forces rsync to copy directories and their content;
- `-q`: **quiet mode**: reduces the amount of information rsync produces;
- `--delete`: **delete mode**: forces rsync to delete any extraneous files at the
destination dir.
- a: archive mode: rsync copies files recursively while preserving as much metadata as possible;
- P: progress/partial: allows rsync to resume interrupted transfers and to shows progress information;
- h: human readable output, rsync shows output numbers in a more readable way;
- r: recursive mode: forces rsync to copy directories and their content;
- q: quiet mode: reduces the amount of information rsync produces;
- delete: delete mode: forces rsync to delete any extraneous files at the destination dir.
After that the backup folder is being encrypred using openssl. By default, it is used
with the following parameters:
```sh
$> openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -k "$PASSWORD" > file.tar.gz.enc
After that the backup folder is being encrypted using gpg. By default, it is used with the following parameters:
```
$> gpg -a \
--symmetric \
--cipher-algo=AES256 \
--no-symkey-cache \
--pinentry-mode=loopback \
--batch --passphrase-fd 3 3<<< "$PASSWORD" \
--output "$OUTPUT" \
"$INPUT"
```
This command encrypts the backup using the AES-256-CBC symmetric encryption algorithm with a 256bit
key. Here is what each option means:
- `enc`: **encrypt mode**: tell openssl to use encryption functionality;
- `-aes-256-cbc`: **encryption algorithm**: this option tells openssl which encryption algorithm to use;
- `-md sha512`: **hashing algorithm**: this option tells openssl which hashing algorithm to use for key derivation,
i.e., converting the text-based password(`$PASSWORD`) into an encryption key;
- `-pbkdf2`: **key deriving algorithm**: this option tells openssl which key deriving algorithm to use. In this case
we use the _password-based key derivation function 2_ algorithm;
- `-iter 100000`: **number of iterations**: this options tells openssl the number of iteration to use for the key derivation
function;
- `-salt`: **enable salting**: this option tells openssl to add a random salt to the key derivation process in order to
avoid rainbow table based attacks.
This command encrypts the backup using the AES-256 symmetric encryption algorithm with a 256bit key. Here is what each flag do:
- `--symmetric`: Use symmetric encryption;
- `--cipher-algo=AES256`: Use AES256 algorithm;
- `--no-symkey-cache`: Do not save password on GPG's cache;
- `--pinentry-mode=loopback --batch`: Do not prompt the user;
- `--passphrase-fd 3 3<< "$PASSWORD"`: Read password without revealing it on `ps`;
- `--output`: Specify output file;
- `$INPUT`: Specify input file.
## Unit tests
`backup.sh` provides some unit tests inside the `tests.sh` script. This script generates some dummy files inside the following

View File

@ -34,8 +34,10 @@ set -e
# Check if dependencies are installed
missing_dep=0
for dep in rsync tar openssl ; do
if ! command -v $dep > /dev/null 2>&1; then
deps=("rsync" "tar" "gpg")
for dep in "${deps[@]}"; do
if ! command -v "$dep" > /dev/null 2>&1; then
echo "Cannot find '$dep', please install it."
missing_dep=1
fi
@ -93,14 +95,25 @@ make_backup() {
BACKUP_SH_PROGRESS=$((BACKUP_SH_PROGRESS+1))
done
# Compress and encrypt backup directory
echo "Compressing and encrypting backup..."
tar -cz -C "$BACKUP_SH_OUTPATH" $BACKUP_SH_FOLDER | \
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -k "$BACKUP_SH_PASS" \
> "$BACKUP_SH_FILENAME"
# Compress backup directory
echo "Compressing backup..."
tar -czf "$BACKUP_SH_OUTPATH/backup.sh.tar.gz" \
-C "$BACKUP_SH_OUTPUT/" . > /dev/null 2>&1
# Encrypt backup directory
echo "Encrypting backup..."
gpg -a \
--symmetric \
--cipher-algo=AES256 \
--no-symkey-cache \
--pinentry-mode=loopback \
--batch --passphrase-fd 3 3<<< "$BACKUP_SH_PASS" \
--output "$BACKUP_SH_FILENAME" \
"$BACKUP_SH_OUTPATH/backup.sh.tar.gz" > /dev/null 2>&1
# Remove temporary files
rm -rf "$BACKUP_SH_OUTPUT"
rm -rf "$BACKUP_SH_OUTPATH/backup.sh.tar.gz"
# Print file name, file size, file hash and elapsed time,
BACKUP_SH_END_TIME="$(date +%s)"
@ -118,10 +131,20 @@ extract_backup() {
BACKUP_SH_ARCHIVE_PATH="$1"
BACKUP_SH_ARCHIVE_PW="$2"
(openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -d \
-in "$BACKUP_SH_ARCHIVE_PATH" \
-k "$BACKUP_SH_ARCHIVE_PW" | tar xvz) > /dev/null 2>&1 \
|| (echo "Unable to extract backup." && exit 1)
# Decrypt the archive
gpg -a \
--decrypt \
--no-symkey-cache \
--pinentry-mode=loopback \
--batch --passphrase-fd 3 3<<<"$BACKUP_SH_ARCHIVE_PW" \
--output backup.sh.tar.gz \
"$BACKUP_SH_ARCHIVE_PATH"
# Extract archive
tar -xzf backup.sh.tar.gz 1> /dev/null 2>&1
# Remove temporary files
rm -rf backup.sh.tar.gz
}
helper() {

45
man.md
View File

@ -3,11 +3,11 @@ title: backup.sh
section: 1
header: General Commands Manual
footer: Marco Cetica
date: March 14, 2023
date: October 10, 2023
---
# NAME
**backup.sh** is a POSIX compliant, modular and lightweight backup utility to save and encrypt your files.
**backup.sh** - POSIX compliant, modular and lightweight backup utility to save and encrypt your files.
# SYNOPSIS
```
@ -21,7 +21,7 @@ options:
# DESCRIPTION
**backup.sh** is a POSIX compliant, modular and lightweight backup utility to save and encrypt your files.
This tool is intended to be used on small scale UNIX environment such as VPS, small servers and workstations.
**backup.sh** uses _rsync_, _tar_ and _openssl_ to copy, compress and encrypt the backup.
**backup.sh** uses _rsync_, _tar_ and _gpg_ to copy, compress and encrypt the backup.
# OPTIONS
**backup.sh** supports two options: _backup creation_ and _backup extraction_.
@ -88,7 +88,7 @@ Compressing and encrypting backup...
Elapsed time: 10 seconds.
```
After that, you will find the final backup archive in `/home/john/backup-<HOSTNAME>-<YYYMMDD>.tar.gz.enc`.
After that, you will find the final backup archive in `/home/john/backup-<HOSTNAME>-<YYYYMMDD>.tar.gz.enc`.
You can also use **backup.sh** from a crontab rule:
@ -112,7 +112,7 @@ Where `<ENCRYPTED_ARCHIVE>` is the encrypted backup and `<ARCHIVE_PASSWORD>` is
For instance:
```
$> ./backup.sh --extract backup-<hostname>-<YYYMMDD>.tar.gz.enc badpw1234
$> ./backup.sh --extract backup-<hostname>-<YYYYMMDD>.tar.gz.enc badpw1234
```
This will create a new folder called `backup.sh.tmp` in your local directory.
@ -124,7 +124,7 @@ backup-ssh-<YYYYMMDD>
```
## How does backup.sh work?
**backup.sh** uses _rsync_ to copy the files, _tar_ to compress the backup and _openssl_ to encrypt it.
**backup.sh** uses _rsync_ to copy the files, _tar_ to compress the backup and _gpg_ to encrypt it.
By default, rsync is being used with the following parameters:
```
@ -141,28 +141,31 @@ That is:
- delete: delete mode: forces rsync to delete any extraneous files at the destination dir.
After that the backup folder is being encrypred using openssl. By default, it is used with the following parameters:
After that the backup folder is being encrypted using gpg. By default, it is used with the following parameters:
```
$> openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -k "$PASSWORD" > file.tar.gz.enc
$> gpg -a \
--symmetric \
--cipher-algo=AES256 \
--no-symkey-cache \
--pinentry-mode=loopback \
--batch --passphrase-fd 3 3<<< "$PASSWORD" \
--output "$OUTPUT" \
"$INPUT"
```
This command encrypts the backup using the AES-256-CBC symmetric encryption algorithm with a 256bit key. Here is what each option means:
- enc: encrypt mode: tell openssl to use encryption functionality;
- aes-256-cbc: encryption algorithm: this option tells openssl which encryption algorithm to use;
- md sh512: hashing algorithm: this option tells openssl which hashing algorithm to use for key derivation,
i.e., converting the text-based password(`$PASSWORD`) into an encryption key;
- pbkdf2: key deriving algorithm: this option tells openssl which key deriving algorithm to use. In this case
we use the _password-based key derivation function 2_ algorithm;
- iter 100000: number of iterations: this options tells openssl the number of iteration to use for the key derivation
function;
- salt: enable salting: this option tells openssl to add a random salt to the key derivation process in order to
avoid rainbow table based attacks.
This command encrypts the backup using the AES-256 symmetric encryption algorithm with a 256bit key. Here is what each flag do:
- `--symmetric`: Use symmetric encryption;
- `--cipher-algo=AES256`: Use AES256 algorithm;
- `--no-symkey-cache`: Do not save password on GPG's cache;
- `--pinentry-mode=loopback --batch`: Do not prompt the user;
- `--passphrase-fd 3 3<< "$PASSWORD"`: Read password without revealing it on `ps`;
- `--output`: Specify output file;
- `$INPUT`: Specify input file.
# EXAMPLES
Below there are some examples that demostrate **backup.sh**'s usage.
Below there are some examples that demonstrate **backup.sh**'s usage.
1. Create a backup of `/etc/ssh`, `/var/www` and `/var/log` inside the `/tmp` directory using a password
stored in `/home/op1/.backup_pw`