Encrypting a gzip file

daymobrew

I have written a script to backup a MySQL db. I use mysqlbackup and it generates a large .sql file (~170MB). This gzips down to 15MB.
I then push the file to Amazon S3.

While the files on S3 are private, I really need to encrypt them prior to upload.

I am using PHP 5.2.17; mycrypt 2.5.8 is built in; I can run system(); there are a few PEAR5 Crypt modules available.

Any suggestions on what route I should take?

ianhobo

What do you do with the files after? (Sorry not, familiar with the amazon service)

Do you use PGP or GPG?

"gpg4win" is a software privacy tool which will (among other things) allow you to encrypt any file you want. It has various methods, depending on what you want to do with the file - share it, store it etc etc

Obviously this is a manual solution, sorry if your looking for a auto/script solution can't think of anything right now

daymobrew

ianhobo wrote: »

What do you do with the files after? (Sorry not, familiar with the amazon service)

Amazon S3 (Simple Storage Service) is just a place for me to put the backup files. They will only be needed if the db gets trashed.

ianhobo wrote: »

Do you use PGP or GPG?

"gpg4win" is a software privacy tool which will (among other things) allow you to encrypt any file you want. It has various methods, depending on what you want to do with the file - share it, store it etc etc

Obviously this is a manual solution, sorry if your looking for a auto/script solution can't think of anything right now

I do need a scriptable solution. And one on the Unix box where the db is.

ressem

Create a file containing a password. Readable only by backup user.

tar zcvf - databasefile.sql | openssl enc -aes-256-cbc -salt -pass file:./password.txt > databasefile.tar.gz.aes

to decrypt (overwriting the file databasefile.sql already in this directory)

dd if=databasefile.tar.gz.aes | openssl enc -d -aes-256-cbc -pass file:./password.txt | tar zxvf -

tar zcvf means create a compressed tarball
the openssl bit is using the aes-256 cipher block chaining routine to encrypt your data, using the contents of password.txt as the passkey.

Note that cbc means that a single bit of corruption means that the entire file is unreadably corrupt so keeping a multiple copies is recommended. It also does not work in parallel so will use only one core of your CPU I think.

croo

doesn't gpg automatically compress text files as part of the encryption process?

amen

a bit off post:
encrypting and backups are good but what exactly is in the data base that you want encrypted? for instance if its credit numbers you may be out of compliance with PCI.

you also need to be careful where your data is stored on Amazon S3. If the data is stored in USA AmazonS3 and you have european users/customer details you could be breaking data protection laws.

Can you connect to S3 securely ? Better to send the backup over a secure connection that across a non secure one

daymobrew

amen wrote: »

a bit off post:
encrypting and backups are good but what exactly is in the data base that you want encrypted? for instance if its credit numbers you may be out of compliance with PCI.

It is not credit card numbers. It is online chat history of confidential conversations.

amen wrote: »

you also need to be careful where your data is stored on Amazon S3. If the data is stored in USA AmazonS3 and you have european users/customer details you could be breaking data protection laws.

True - I chose the Ireland location for this reason.

amen wrote: »

Can you connect to S3 securely ? Better to send the backup over a secure connection that across a non secure one

Good idea.

amen

It is online chat history of confidential conversations.

is the conversation data encrypted as well? If not it ain't confidential

fergalr

ressem wrote: »

Create a file containing a password. Readable only by backup user.

tar zcvf - databasefile.sql | openssl enc -aes-256-cbc -salt -pass file:./password.txt > databasefile.tar.gz.aes

to decrypt (overwriting the file databasefile.sql already in this directory)

dd if=databasefile.tar.gz.aes | openssl enc -d -aes-256-cbc -pass file:./password.txt | tar zxvf -

tar zcvf means create a compressed tarball
the openssl bit is using the aes-256 cipher block chaining routine to encrypt your data, using the contents of password.txt as the passkey.

Note that cbc means that a single bit of corruption means that the entire file is unreadably corrupt so keeping a multiple copies is recommended. It also does not work in parallel so will use only one core of your CPU I think.

I second the recommendation of using openssl to aes encrypt the backups; have deployed this before, its not a bad way to go at all.

daymobrew

amen wrote: »

is the conversation data encrypted as well? If not it ain't confidential

Livezilla live chat is being used with the chat transcripts stored in MySQL. Livezilla supports SSL but I don't know if it has been enabled. I will raise this with the Livezilla admin.

The service that is using Livezilla is a support service for people with depression. They can live chat with someone for support. That is what I mean by "confidential"