marco/backup.sh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrated to GPG

Browse Source
This commit is contained in:
Marco Cetica 2023-10-10 11:59:37 +02:00
parent 73736e3004
commit 5fade8eda0
No known key found for this signature in database
GPG Key ID: 7C7F63D4B26A4D5B
3 changed files with 102 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
README.md
View File

@ -2,10 +2,12 @@
`backup.sh` is a POSIX compliant, modular and lightweight backup utility to save and encrypt your files. `backup.sh` is a POSIX compliant, modular and lightweight backup utility to save and encrypt your files.
This tool is intended to be used on small scale UNIX environments such as VPS, personal servers and This tool is intended to be used on small scale UNIX environments such as VPS, personal servers and
workstations. `backup.sh` uses [rsync](https://linux.die.net/man/1/rsync), [tar](https://linux.die.net/man/1/tar) workstations. `backup.sh` uses [rsync](https://linux.die.net/man/1/rsync), [tar](https://linux.die.net/man/1/tar)
and [openssl](https://linux.die.net/man/1/openssl) to copy, compress and encrypt the backup. and [gpg](https://linux.die.net/man/1/gpg) to copy, compress and encrypt the backup.
While `backup.sh` should work in any POSIX compliant environment, the official supported operating systems are: While `backup.sh` should work in any POSIX compliant environment,
`backup.sh` should work in any POSIX compliant environment, and it's successfully being used on
- GNU/Linux; - GNU/Linux;
- OpenBSD
- FreeBSD; - FreeBSD;
- Apple MacOS. - Apple MacOS.
@ -22,7 +24,7 @@ you can issue `sudo make uninstall`.
At this point you still need to install the following dependencies: At this point you still need to install the following dependencies:
- `rsync` - `rsync`
- `tar` - `tar`
- `openssl` - `gpg`
## Usage ## Usage
To show the available options, you can run `backup.sh --help`, which will print out the following message: To show the available options, you can run `backup.sh --help`, which will print out the following message:
@ -91,11 +93,15 @@ The backup utility will begin to copy the files defined in the _sources file_:
```text ```text
Copying nginx(1/2) Copying nginx(1/2)
Copying ssh(2/2) Copying ssh(2/2)
Compressing and encrypting backup... Compressing backup...
Elapsed time: 10 seconds. Encrypting backup...
File name: /home/marco/backup-<HOSTNAME>-<YYYYMMDD>.tar.gz.enc
File size: 7336400696(6.9G)
File hash: 0e75ca393117f389d9e8edfea7106d98
Elapsed time: 259 seconds.
``` ```
After that, you will find the final backup archive in `/home/john/backup-<HOSTNAME>-<YYYMMDD>.tar.gz.enc`. After that, you will find the final backup archive in `/home/john/backup-<HOSTNAME>-<YYYYMMDD>.tar.gz.enc`.
You can also use `backup.sh` from a crontab rule: You can also use `backup.sh` from a crontab rule:
```sh ```sh
@ -120,7 +126,7 @@ Where `<ENCRYPTED_ARCHIVE>` is the encrypted backup and `<ARCHIVE_PASSWORD>` is
For instance: For instance:
```sh ```sh
$> ./backup.sh --extract backup-<hostname>-<YYYMMDD>.tar.gz.enc badpw1234 $> ./backup.sh --extract backup-<hostname>-<YYYYMMDD>.tar.gz.enc badpw1234
``` ```
This will create a new folder called `backup.sh.tmp` in your local directory. Be sure to rename any directory This will create a new folder called `backup.sh.tmp` in your local directory. Be sure to rename any directory
@ -131,44 +137,46 @@ backup-ssh-<YYYYMMDD>
``` ```
## How does `backup.sh` work? ## How does backup.sh work?
`backup.sh` uses **rsync** to copy the files, **tar** to compress the backup and **openssl** **backup.sh** uses _rsync_ to copy the files, _tar_ to compress the backup and _gpg_ to encrypt it.
to encrypt it. By default, rsync is being used with the following parameters: By default, rsync is being used with the following parameters:
```sh
```
$> rsync -aPhrq --delete $> rsync -aPhrq --delete
``` ```
That is: That is:
- `-a`: **archive mode**: rsync copies files recursively while preserving as much metadata - a: archive mode: rsync copies files recursively while preserving as much metadata as possible;
as possible; - P: progress/partial: allows rsync to resume interrupted transfers and to shows progress information;
- `-P`: **progress/partial**, this allows rsync to resume interrupted transfers and to - h: human readable output, rsync shows output numbers in a more readable way;
shows progress information; - r: recursive mode: forces rsync to copy directories and their content;
- `-h`: **human readable output**: rsync shows output numbers in a more readable way; - q: quiet mode: reduces the amount of information rsync produces;
- `-r`: **recursive mode**: forces rsync to copy directories and their content; - delete: delete mode: forces rsync to delete any extraneous files at the destination dir.
- `-q`: **quiet mode**: reduces the amount of information rsync produces;
- `--delete`: **delete mode**: forces rsync to delete any extraneous files at the
destination dir.
After that the backup folder is being encrypred using openssl. By default, it is used After that the backup folder is being encrypted using gpg. By default, it is used with the following parameters:
with the following parameters:
```sh
$> openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -k "$PASSWORD" > file.tar.gz.enc ```
$> gpg -a \
--symmetric \
--cipher-algo=AES256 \
--no-symkey-cache \
--pinentry-mode=loopback \
--batch --passphrase-fd 3 3<<< "$PASSWORD" \
--output "$OUTPUT" \
"$INPUT"
``` ```
This command encrypts the backup using the AES-256-CBC symmetric encryption algorithm with a 256bit This command encrypts the backup using the AES-256 symmetric encryption algorithm with a 256bit key. Here is what each flag do:
key. Here is what each option means: - `--symmetric`: Use symmetric encryption;
- `enc`: **encrypt mode**: tell openssl to use encryption functionality; - `--cipher-algo=AES256`: Use AES256 algorithm;
- `-aes-256-cbc`: **encryption algorithm**: this option tells openssl which encryption algorithm to use; - `--no-symkey-cache`: Do not save password on GPG's cache;
- `-md sha512`: **hashing algorithm**: this option tells openssl which hashing algorithm to use for key derivation, - `--pinentry-mode=loopback --batch`: Do not prompt the user;
i.e., converting the text-based password(`$PASSWORD`) into an encryption key; - `--passphrase-fd 3 3<< "$PASSWORD"`: Read password without revealing it on `ps`;
- `-pbkdf2`: **key deriving algorithm**: this option tells openssl which key deriving algorithm to use. In this case - `--output`: Specify output file;
we use the _password-based key derivation function 2_ algorithm; - `$INPUT`: Specify input file.
- `-iter 100000`: **number of iterations**: this options tells openssl the number of iteration to use for the key derivation
function;
- `-salt`: **enable salting**: this option tells openssl to add a random salt to the key derivation process in order to
avoid rainbow table based attacks.
## Unit tests ## Unit tests
`backup.sh` provides some unit tests inside the `tests.sh` script. This script generates some dummy files inside the following `backup.sh` provides some unit tests inside the `tests.sh` script. This script generates some dummy files inside the following

45
backup.sh
View File

@ -34,8 +34,10 @@ set -e
# Check if dependencies are installed # Check if dependencies are installed
missing_dep=0 missing_dep=0
for dep in rsync tar openssl ; do deps=("rsync" "tar" "gpg")
if ! command -v $dep > /dev/null 2>&1; then
for dep in "${deps[@]}"; do
if ! command -v "$dep" > /dev/null 2>&1; then
echo "Cannot find '$dep', please install it." echo "Cannot find '$dep', please install it."
missing_dep=1 missing_dep=1
fi fi
@ -93,14 +95,25 @@ make_backup() {
BACKUP_SH_PROGRESS=$((BACKUP_SH_PROGRESS+1)) BACKUP_SH_PROGRESS=$((BACKUP_SH_PROGRESS+1))
done done
# Compress and encrypt backup directory # Compress backup directory
echo "Compressing and encrypting backup..." echo "Compressing backup..."
tar -cz -C "$BACKUP_SH_OUTPATH" $BACKUP_SH_FOLDER | \ tar -czf "$BACKUP_SH_OUTPATH/backup.sh.tar.gz" \
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -k "$BACKUP_SH_PASS" \ -C "$BACKUP_SH_OUTPUT/" . > /dev/null 2>&1
> "$BACKUP_SH_FILENAME"
# Encrypt backup directory
echo "Encrypting backup..."
gpg -a \
--symmetric \
--cipher-algo=AES256 \
--no-symkey-cache \
--pinentry-mode=loopback \
--batch --passphrase-fd 3 3<<< "$BACKUP_SH_PASS" \
--output "$BACKUP_SH_FILENAME" \
"$BACKUP_SH_OUTPATH/backup.sh.tar.gz" > /dev/null 2>&1
# Remove temporary files # Remove temporary files
rm -rf "$BACKUP_SH_OUTPUT" rm -rf "$BACKUP_SH_OUTPUT"
rm -rf "$BACKUP_SH_OUTPATH/backup.sh.tar.gz"
# Print file name, file size, file hash and elapsed time, # Print file name, file size, file hash and elapsed time,
BACKUP_SH_END_TIME="$(date +%s)" BACKUP_SH_END_TIME="$(date +%s)"
@ -118,10 +131,20 @@ extract_backup() {
BACKUP_SH_ARCHIVE_PATH="$1" BACKUP_SH_ARCHIVE_PATH="$1"
BACKUP_SH_ARCHIVE_PW="$2" BACKUP_SH_ARCHIVE_PW="$2"
(openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -d \ # Decrypt the archive
-in "$BACKUP_SH_ARCHIVE_PATH" \ gpg -a \
-k "$BACKUP_SH_ARCHIVE_PW" | tar xvz) > /dev/null 2>&1 \ --decrypt \
|| (echo "Unable to extract backup." && exit 1) --no-symkey-cache \
--pinentry-mode=loopback \
--batch --passphrase-fd 3 3<<<"$BACKUP_SH_ARCHIVE_PW" \
--output backup.sh.tar.gz \
"$BACKUP_SH_ARCHIVE_PATH"
# Extract archive
tar -xzf backup.sh.tar.gz 1> /dev/null 2>&1
# Remove temporary files
rm -rf backup.sh.tar.gz
} }
helper() { helper() {

45
man.md
View File

@ -3,11 +3,11 @@ title: backup.sh
section: 1 section: 1
header: General Commands Manual header: General Commands Manual
footer: Marco Cetica footer: Marco Cetica
date: March 14, 2023 date: October 10, 2023
--- ---
# NAME # NAME
**backup.sh** is a POSIX compliant, modular and lightweight backup utility to save and encrypt your files. **backup.sh** - POSIX compliant, modular and lightweight backup utility to save and encrypt your files.
# SYNOPSIS # SYNOPSIS
``` ```
@ -21,7 +21,7 @@ options:
# DESCRIPTION # DESCRIPTION
**backup.sh** is a POSIX compliant, modular and lightweight backup utility to save and encrypt your files. **backup.sh** is a POSIX compliant, modular and lightweight backup utility to save and encrypt your files.
This tool is intended to be used on small scale UNIX environment such as VPS, small servers and workstations. This tool is intended to be used on small scale UNIX environment such as VPS, small servers and workstations.
**backup.sh** uses _rsync_, _tar_ and _openssl_ to copy, compress and encrypt the backup. **backup.sh** uses _rsync_, _tar_ and _gpg_ to copy, compress and encrypt the backup.
# OPTIONS # OPTIONS
**backup.sh** supports two options: _backup creation_ and _backup extraction_. **backup.sh** supports two options: _backup creation_ and _backup extraction_.
@ -88,7 +88,7 @@ Compressing and encrypting backup...
Elapsed time: 10 seconds. Elapsed time: 10 seconds.
``` ```
After that, you will find the final backup archive in `/home/john/backup-<HOSTNAME>-<YYYMMDD>.tar.gz.enc`. After that, you will find the final backup archive in `/home/john/backup-<HOSTNAME>-<YYYYMMDD>.tar.gz.enc`.
You can also use **backup.sh** from a crontab rule: You can also use **backup.sh** from a crontab rule:
@ -112,7 +112,7 @@ Where `<ENCRYPTED_ARCHIVE>` is the encrypted backup and `<ARCHIVE_PASSWORD>` is
For instance: For instance:
``` ```
$> ./backup.sh --extract backup-<hostname>-<YYYMMDD>.tar.gz.enc badpw1234 $> ./backup.sh --extract backup-<hostname>-<YYYYMMDD>.tar.gz.enc badpw1234
``` ```
This will create a new folder called `backup.sh.tmp` in your local directory. This will create a new folder called `backup.sh.tmp` in your local directory.
@ -124,7 +124,7 @@ backup-ssh-<YYYYMMDD>
``` ```
## How does backup.sh work? ## How does backup.sh work?
**backup.sh** uses _rsync_ to copy the files, _tar_ to compress the backup and _openssl_ to encrypt it. **backup.sh** uses _rsync_ to copy the files, _tar_ to compress the backup and _gpg_ to encrypt it.
By default, rsync is being used with the following parameters: By default, rsync is being used with the following parameters:
``` ```
@ -141,28 +141,31 @@ That is:
- delete: delete mode: forces rsync to delete any extraneous files at the destination dir. - delete: delete mode: forces rsync to delete any extraneous files at the destination dir.
After that the backup folder is being encrypred using openssl. By default, it is used with the following parameters: After that the backup folder is being encrypted using gpg. By default, it is used with the following parameters:
``` ```
$> openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -k "$PASSWORD" > file.tar.gz.enc $> gpg -a \
--symmetric \
--cipher-algo=AES256 \
--no-symkey-cache \
--pinentry-mode=loopback \
--batch --passphrase-fd 3 3<<< "$PASSWORD" \
--output "$OUTPUT" \
"$INPUT"
``` ```
This command encrypts the backup using the AES-256-CBC symmetric encryption algorithm with a 256bit key. Here is what each option means: This command encrypts the backup using the AES-256 symmetric encryption algorithm with a 256bit key. Here is what each flag do:
- `--symmetric`: Use symmetric encryption;
- enc: encrypt mode: tell openssl to use encryption functionality; - `--cipher-algo=AES256`: Use AES256 algorithm;
- aes-256-cbc: encryption algorithm: this option tells openssl which encryption algorithm to use; - `--no-symkey-cache`: Do not save password on GPG's cache;
- md sh512: hashing algorithm: this option tells openssl which hashing algorithm to use for key derivation, - `--pinentry-mode=loopback --batch`: Do not prompt the user;
i.e., converting the text-based password(`$PASSWORD`) into an encryption key; - `--passphrase-fd 3 3<< "$PASSWORD"`: Read password without revealing it on `ps`;
- pbkdf2: key deriving algorithm: this option tells openssl which key deriving algorithm to use. In this case - `--output`: Specify output file;
we use the _password-based key derivation function 2_ algorithm; - `$INPUT`: Specify input file.
- iter 100000: number of iterations: this options tells openssl the number of iteration to use for the key derivation
function;
- salt: enable salting: this option tells openssl to add a random salt to the key derivation process in order to
avoid rainbow table based attacks.
# EXAMPLES # EXAMPLES
Below there are some examples that demostrate **backup.sh**'s usage. Below there are some examples that demonstrate **backup.sh**'s usage.
1. Create a backup of `/etc/ssh`, `/var/www` and `/var/log` inside the `/tmp` directory using a password 1. Create a backup of `/etc/ssh`, `/var/www` and `/var/log` inside the `/tmp` directory using a password
stored in `/home/op1/.backup_pw` stored in `/home/op1/.backup_pw`