What’s the most recommended way to encrypt a db backup now days? Still gpg? For sure looking for public/private as don’t want my worker doing the backup and shipping it to storage to have a key to decrypt it.
But problem comes if I ever want to automate a restore in anyway.. 😶
@eletrotupi I’ve definitely seen this one before. Actually have in mind for my personal backups. In my case on a worker I’m getting a gzip archive output to stdout from the database dump. Might be able to make borg work. 🤔
@geekgonecrazy @eletrotupi Just a note: Make sure to seither call gpg with --no-compress or, better, pass the unencrypted stream to gpg. Otherwise you're compressing twice.
@realTimo @eletrotupi ah good tip! Didn’t think about gpg compressing.
@mookie I’d be shipping off to an s3 compatible store. The output of the backup is actually very dynamic and will go to semi dynamic stores and will happen on a random worker. So ideally looking for something to handle just encryption.
I’ve looked at rclone but couldn’t determine exactly what it was doing encryption wise. Looks like some sort of asymmetrical?
@geekgonecrazy @mookie perfect use case for Borg imo
@geekgonecrazy Might also look into https://github.com/FiloSottile/age . Looks like it can send to a public key so there is no need to keep a key on the sending server.
@sjanes oooooooh! Nice! This might be exactly what I’m after
@brian gotta say compared to rclone the simplicity shown on their page definitely would beat it out for backing up files. I think this is up in one of my 100s of tabs from someone’s toot or tweet from a while back. For sure need to file it away. Maybe creating a list of some of these
@geekgonecrazy https://shivering-isles.com/Using-duplicity-and-backblaze-b2-storage-for-backup
Turned out to be rock solid for me. You can obviously replace backblaze with whatever you like. Also the Ansible role linked is even more configurable to use different keys for encryption and signing.
I started to add my private OpenPGP key as encryption target in order to make sure I can always decrypt the backups.
@sheogorath duplicity is a nice one too. Thanks!
@utzer it technically could. But I have more of a many worker sort of setup and the backup job happens in a container. Borg does look interesting for pet server or personal laptop situation though
@geekgonecrazy Borg