0

I have a backup routine via crontab on Ubuntu. This routine generates a compressed tar.gz file and sends it to AWS S3.

But I want to encrypt these files and be able to decrypt them when necessary on another machine only if I have the private key.

While searching I found gpg, and I execute the command below to compress the backup file:

gpg --output my-backup-file.tar.gz.gpg --encrypt --recipient secret-key-mail-address@example.com my-backup-file.tar.gz

Is this a safe and good way to encrypt these files?

Tom
  • 163
  • 4
  • So basically you're asking if there are known vulnerabilities in GPG? – Luc May 26 '20 at 14:19
  • This method is solid. I will point out that if you're the only one using the files it really only requires a single symmetric key. If you still want to use a Public Key Pair, then you may want to add a signature to verify the originator as well. – user10216038 May 27 '20 at 18:58

2 Answers2

2

Check out s3cmd. There is an option to encrypt files on the client side (using keys that are managed on the client side), then copy or sync the encrypted files to s3 buckets.

mti2935
  • 19,868
  • 2
  • 45
  • 64
1

I know it's not specifically your question, but S3 has an inbuilt ability to encrypt/decrypt already, and it's probably a better solution.

Here's how it works, when you upload the data to S3, you specify a kms key to encrypt the data. Ensure your IAM role assigned to your ubuntu machine must have the right permissions to do the encryption, namely kms:Encrypt.

Then for downloading and decrypting this data, ensure that the downloading machine has the right permission to decrypt it, namely kms:Decrypt.

This is of course, above and beyond the necessary permissions to download/upload the file to the bucket.

This ensures that data is viewable only to the party that has the right permission (AWS Credentials) to both download & decrypt the file -- without the need for client-side encryption that can get both messy and insecure.

keithRozario
  • 3,571
  • 2
  • 12
  • 24
  • 2
    This is a convenient solution, but it's important to understand that with this solution, Amazon has the ciphertext, and they have the key to decrypt the ciphertext. Therefore, Amazon has the ability to access the plaintext information. If you're looking for a solution where Amazon would have zero-access to the plaintext information, then it's necessary to encrypt the information on the client-side, and manage your own keys, and upload only the ciphertext (as the OP describes in his question). – mti2935 May 26 '20 at 14:38
  • @mti2935 is right, in this method, the key is never revealed to clients (upload or download), and AWS will have the ability to decrypt. There are two options if you want to go down the rabbit hole. Option 1, use the Customer Provided Customer Master Key, where you generate the key to be used -- but this is still stored on AWS. Option 2,, there is a legacy-ish option of Customer Provided Encryption Key. link here: https://aws.amazon.com/blogs/developer/amazon-s3-server-side-encryption-with-customer-provided-keys/ . – keithRozario May 27 '20 at 07:44