Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Encrypting a gzip file

  • 17-02-2011 2:12pm
    #1
    Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭


    I have written a script to backup a MySQL db. I use mysqlbackup and it generates a large .sql file (~170MB). This gzips down to 15MB.
    I then push the file to Amazon S3.

    While the files on S3 are private, I really need to encrypt them prior to upload.

    I am using PHP 5.2.17; mycrypt 2.5.8 is built in; I can run system(); there are a few PEAR5 Crypt modules available.

    Any suggestions on what route I should take?


Comments

  • Registered Users, Registered Users 2 Posts: 413 ✭✭ianhobo


    What do you do with the files after? (Sorry not, familiar with the amazon service)

    Do you use PGP or GPG?

    "gpg4win" is a software privacy tool which will (among other things) allow you to encrypt any file you want. It has various methods, depending on what you want to do with the file - share it, store it etc etc

    Obviously this is a manual solution, sorry if your looking for a auto/script solution :( can't think of anything right now


  • Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭daymobrew


    ianhobo wrote: »
    What do you do with the files after? (Sorry not, familiar with the amazon service)
    Amazon S3 (Simple Storage Service) is just a place for me to put the backup files. They will only be needed if the db gets trashed.
    ianhobo wrote: »
    Do you use PGP or GPG?

    "gpg4win" is a software privacy tool which will (among other things) allow you to encrypt any file you want. It has various methods, depending on what you want to do with the file - share it, store it etc etc

    Obviously this is a manual solution, sorry if your looking for a auto/script solution :( can't think of anything right now
    I do need a scriptable solution. And one on the Unix box where the db is.


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    Create a file containing a password. Readable only by backup user.

    tar zcvf - databasefile.sql | openssl enc -aes-256-cbc -salt -pass file:./password.txt > databasefile.tar.gz.aes

    to decrypt (overwriting the file databasefile.sql already in this directory)

    dd if=databasefile.tar.gz.aes | openssl enc -d -aes-256-cbc -pass file:./password.txt | tar zxvf -

    tar zcvf means create a compressed tarball
    the openssl bit is using the aes-256 cipher block chaining routine to encrypt your data, using the contents of password.txt as the passkey.

    Note that cbc means that a single bit of corruption means that the entire file is unreadably corrupt so keeping a multiple copies is recommended. It also does not work in parallel so will use only one core of your CPU I think.


  • Moderators, Technology & Internet Moderators Posts: 1,336 Mod ✭✭✭✭croo


    doesn't gpg automatically compress text files as part of the encryption process?


  • Registered Users, Registered Users 2 Posts: 2,781 ✭✭✭amen


    a bit off post:
    encrypting and backups are good but what exactly is in the data base that you want encrypted? for instance if its credit numbers you may be out of compliance with PCI.

    you also need to be careful where your data is stored on Amazon S3. If the data is stored in USA AmazonS3 and you have european users/customer details you could be breaking data protection laws.

    Can you connect to S3 securely ? Better to send the backup over a secure connection that across a non secure one


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭daymobrew


    amen wrote: »
    a bit off post:
    encrypting and backups are good but what exactly is in the data base that you want encrypted? for instance if its credit numbers you may be out of compliance with PCI.
    It is not credit card numbers. It is online chat history of confidential conversations.
    amen wrote: »
    you also need to be careful where your data is stored on Amazon S3. If the data is stored in USA AmazonS3 and you have european users/customer details you could be breaking data protection laws.
    True - I chose the Ireland location for this reason.
    amen wrote: »
    Can you connect to S3 securely ? Better to send the backup over a secure connection that across a non secure one
    Good idea.


  • Registered Users, Registered Users 2 Posts: 2,781 ✭✭✭amen


    It is online chat history of confidential conversations.

    is the conversation data encrypted as well? If not it ain't confidential


  • Registered Users, Registered Users 2 Posts: 1,922 ✭✭✭fergalr


    ressem wrote: »
    Create a file containing a password. Readable only by backup user.

    tar zcvf - databasefile.sql | openssl enc -aes-256-cbc -salt -pass file:./password.txt > databasefile.tar.gz.aes

    to decrypt (overwriting the file databasefile.sql already in this directory)

    dd if=databasefile.tar.gz.aes | openssl enc -d -aes-256-cbc -pass file:./password.txt | tar zxvf -

    tar zcvf means create a compressed tarball
    the openssl bit is using the aes-256 cipher block chaining routine to encrypt your data, using the contents of password.txt as the passkey.

    Note that cbc means that a single bit of corruption means that the entire file is unreadably corrupt so keeping a multiple copies is recommended. It also does not work in parallel so will use only one core of your CPU I think.



    I second the recommendation of using openssl to aes encrypt the backups; have deployed this before, its not a bad way to go at all.


  • Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭daymobrew


    amen wrote: »
    is the conversation data encrypted as well? If not it ain't confidential
    Livezilla live chat is being used with the chat transcripts stored in MySQL. Livezilla supports SSL but I don't know if it has been enabled. I will raise this with the Livezilla admin.

    The service that is using Livezilla is a support service for people with depression. They can live chat with someone for support. That is what I mean by "confidential"


Advertisement