What’s the most recommended way to encrypt a db backup now days? Still gpg? For sure looking for public/private as don’t want my worker doing the backup and shipping it to storage to have a key to decrypt it.

But problem comes if I ever want to automate a restore in anyway.. 😶

@eletrotupi I’ve definitely seen this one before. Actually have in mind for my personal backups. In my case on a worker I’m getting a gzip archive output to stdout from the database dump. Might be able to make borg work. 🤔

@geekgonecrazy @eletrotupi Just a note: Make sure to seither call gpg with --no-compress or, better, pass the unencrypted stream to gpg. Otherwise you're compressing twice.

@geekgonecrazy Are you backing up to a remote machine or public cloud storage? If you are, I like using rclone for that. It handles the encryption and copying of files.

@mookie I’d be shipping off to an s3 compatible store. The output of the backup is actually very dynamic and will go to semi dynamic stores and will happen on a random worker. So ideally looking for something to handle just encryption.

I’ve looked at rclone but couldn’t determine exactly what it was doing encryption wise. Looks like some sort of asymmetrical?

@geekgonecrazy Might also look into . Looks like it can send to a public key so there is no need to keep a key on the sending server.

@sjanes oooooooh! Nice! This might be exactly what I’m after

@geekgonecrazy restic is great. It has rclone integration so it can handle the uploading for you across pretty much any backend you might need.

@brian gotta say compared to rclone the simplicity shown on their page definitely would beat it out for backing up files. I think this is up in one of my 100s of tabs from someone’s toot or tweet from a while back. For sure need to file it away. Maybe creating a list of some of these


Turned out to be rock solid for me. You can obviously replace backblaze with whatever you like. Also the Ansible role linked is even more configurable to use different keys for encryption and signing.

I started to add my private OpenPGP key as encryption target in order to make sure I can always decrypt the backups.

@geekgonecrazy is it Linux, can you do a dump to a local folder (enough space)? If yes, then use #Borgbackup via some SSH connection to the remote backup host.
@geekgonecrazy I can explain a little further if you want more info.

@utzer it technically could. But I have more of a many worker sort of setup and the backup job happens in a container. Borg does look interesting for pet server or personal laptop situation though

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.