Creating Secure Backups With GnuPG
by Mark Woodstone - Tuesday, 16 March 2004.
I'm working for a relatively large Internet Presence Provider (IPP) that servs about 4000 clients from about 30 countries worldwide. Besides a chunk of e-mails to our support regarding viruses, leaching and insecure Perl/PHP scripts, I've seen a number of questions related to securely downloading backups.

With the proliferation of open public wireless networks, more and more of our clients wanted to use the possibilities of freely downloading hundreds of megabytes of their private data. This data included compressed files containing web sites, databases, scripts and even e-commerce credit card depositories. Don't get me wrong - secure backups aren't in any way solely concentrated to wireless networks, but we usually presume that our fixed line connections are secure from prying eyes. From the disclaimer point of view - every business data that is transferred from spot A to spot B, should be decently encrypted.

As the majority of our users are hosted on Linux and BSD servers but are not very keen to system administration, this article should be of interest mainly to this type of readers.

Server perspective #1

GnuPG is a complete and free replacement for PGP. It is a valuable piece of software that is very easy to use and will serve our purpose for covering the topic of secure backups. I won't got into details in installing GnuPG as there are number of good installation guides around that pretty much cover this topic (, and Depending on your server and administrator, GnuPG will be ither pre-installed, installed after bugging the administrator or installed by yourself if you have sufficient local privileges.

Client perspective #1

Installation on the client's machine is the same as on the server as we are not talking about client/server infrastructure, but should rather consider the server as a friend with whome you'll do a secure transfer. The only thing you should do is to export your public key from the client's computer and import it on your server. This is easily done on these two ways:

[cron@enberg]$ gpg --export -a "Mark Woodstone"


[cron@enberg]$ gpg --export -a "Mark Woodstone" > /tmp/gpg.key

As you could probably figure out by yourself, the first example flushes your GPG key to the screen for some copy/pasting and the second one saves it to the gpg.key file in /tmp folder. If you have a fresh installation of GnuPG, you should first create your own key by using gpg --gen-key.

Server perspective #2

Now when you transferred your GPG key to the server, it is time to import it into local GnuPG copy running there. It is done on this way and generates the following message.

[battle@royale]$ gpg --import /tmp/client-gpg.key

gpg: Warning: using insecure memory!

gpg: please see for more information

gpg: /www/site2111/.gnupg/trustdb.gpg: trustdb created

gpg: key A360769C: public key imported

gpg: Total number processed: 1

gpg: imported: 1

Now when the server has the client's public key, it is time to encrypt data (in this situation a mysql dump) that is scheduled for transfer to the client's computer.

[battle@royale]$ gpg --encrypt -r "Mark Woodstone" mysql-dump-2004_34.txt.gz

[battle@royale]$ ls -al

-rw-rw-r-- 1 hosting hosting 38147486 Mar 4 12:24 mysql-dump-2004_34.txt.gz.gpg


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th