Secure Cloud Data Backups using Python, Tar and GPG

Posted on August 8, 2015 by Will Foster

cloud The Cloud (aka another dude’s computer) is a great place to backup your data, files and make your life easier and your technical resources more accessible.  It can also be extremely dangerous if you don’t take steps to protect your privacy.  Here’s one way to securely handle data and file backups to the Cloud on Linux/UNIX like computers.

I’ve written a small Python tool which will do this for you, calling the GNU tar utility to archive the data/directories you want backed up and GPG to encrypt them.  They are then copied to a local location and dated, with the intention that the local destination is some kind of networked Cloud share like a Dropbox, Google Drive or similar backed mount.

How it Works
You’ll need to have GPG setup on your system already, I won’t cover this here but there are great guides available on the web.

Find the keyID(s) that you’d like to be able to open the files, it will be in a format like below, note the string 07BC7E81 – that’s the GPG KeyID we are encrypting it for in our example.

gpg --list-keys will@example.com
pub 1024D/07BC7E81 2008-08-18
uid Will Foster <will@example.com>
uid Will Foster <wfoster@example.com>
sub 2048g/E3886BC8 2008-08-18

Get the Program

curl https://raw.githubusercontent.com/sadsfae/misc-scripts/master/python/backup-file.py \
> backup-file.py && chmod +x backup-file.py

Run the Program
–recipient = Your target GPG KeyID e.g. 07BC7E81
— data = What you want to backup (dir, files)
— backup = Local location to back things up (could be Google Drive, Dropbox, Amazon S3, etc)
— verbose = on/off, optional

# python backup-file.py --recipient 07BC7E81 --data ~/Templates --backup Dropbox/backup/ --backupname Templates_backup --verbose on
verbosity turned on
Recipient: 07BC7E81
Data: /home/wfoster/Templates
Backup To: Dropbox/backup/
Backup Name: Templates_backup-201508081351
tar: Removing leading `/' from member names
/home/wfoster/Templates/
/home/wfoster/Templates/Presentation Backgrounds/
/home/wfoster/Templates/Presentation Backgrounds/summitblue.otp
/home/wfoster/Templates/groupuinames.xml

Our target data is both archived and encrypted and only the KeyID(s) you specified can open it!.

But Cloud?!?
The location in –backup can be a mounted Google Drive, Dropbox or some other remote Cloud storage provider.  Certainly you don’t trust a 3rd party with your sensitive data do you? Good, we didn’t think so and lucky for you it’s encrypted.

# file Dropbox/backup/Templates_backup-201508081351.tar.gz.gpg 
Dropbox/backup/Templates_backup-201508081351.tar.gz.gpg: GPG encrypted data

Another option is to commit your backups to a remote git repository.
I would suggest something like Bitbucket over Github as it offers free private repositories whereas Github charges you for private repos.  You certainly don’t want others able to clone your encrypted data and attack it locally, or store it and wait for some kind of GPG exploit to show up.

Here’s the Github code.

About Will Foster

hobo devop/sysadmin/SRE
This entry was posted in open source, sysadmin and tagged , , , , . Bookmark the permalink.

Have a Squat, Leave a Reply ..

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.