Background

No backup, no mercy! That's why I store my backups in several locations with different hyperscalers (aws, hetzner, azure). But are these providers really trustworthy when it comes to my life insurance policy, for example? I can't thoroughly check the existing security mechanisms. I also have limited trust in the encryption they offer. In the past, there have been some very surprising incidents in this regard.

So I have to assume that I'm not the only one who could have access to this data ?

how does it work?

Readers of my blog should already have a picture in their minds, but for the others here, here's how it works. Thanks to my Yubikey, I have a key pair (public/private) that I can use to encrypt the backups. For the encryption only the public 🔑 is needed. When I need the backups, I need my private 🔑 to decrypt them.

for more infos about the Public-key crypthography have a look Public-key_cryptography

Example

No blog post without a practical example!

Encrypt

In order to encrypt my backups using my public key when creating them, I first need to install GnuPG on the server. Then I can use the following command to import my gpg key:

curl -fsSl https://willifix.net/contact/rwillems.txt | gpg --import

the output confirms the import:

now we have everything to encrypt our stuff. I like oneliners and here is a example how to tar a file and encrypt the output directly with the public key:

tar czf - /source | gpg --encrypt --recipient raffael.willems@im-c.d --output /tmp/source.tar.gpg

The backups are therefore encrypted 🔐and unusable in the event of data theft.

decrypt

Since GPG does a lot of the work for us here, I think decrypting is easier than encrypting.

gpg --decrypt source.tar.gpg >source.tar

That's it, folks!