What are my options for encrypting backups sent to remote destinations

Operating System & Version
CentOS 7.9
cPanel & WHM Version
92.0.6

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
We have regular backups generated on the WHM server and these are sent as .tar.gz files to an external depository.

There is a lot of talk on the forums about encrypting the transportation connection, but not much about encrypting the actual .tar.gz files themselves, This means that when the backup file is delivered to the other end, anyone with access to that account (Amazon / Google Drive / etc. ) have unhindered access to the backup of the entire account details and email.

I would be looking for some sort of locking mechanism on the .tar.gz generated files (perhaps using the password that is set for the account on WHM) or even better using a GPG encryptor such as Kleopatra. This would mean that anyone that has access to the depository account (Amazon / Google Drive / etc. ) does not automatically have access to the entire file/email/SQL readout of any backed up account.

I have had a look at this and can't see anything, ANYTHING that looks to do this, are there any options here?
 
Last edited by a moderator:

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
616
198
343
cPanel Access Level
DataCenter Provider
As far as I know, cPanel backups can't do this. If you want to use JetBackup you 'kind of' can. If you have GDRP enabled you can set an encryption key for each account. You then need the encryption key to restore the account.
 

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
@ffeingol is correct - there isn't a good automated way to do this with any of the tools we have included (cPanel backups) or support (JetBackup)
Would there be a mechanism whereby I could edit a file and include a perl script to do this (I am quite competent with Perl) ; for example maybe editing the core CPanel backup routine to add a encryption mechanism via Perl command line? (at my own risk of course)
 

martin MHC

Well-Known Member
Sep 14, 2016
214
35
28
UK
cPanel Access Level
Root Administrator
Possibly? The only thing I would mention with that work is that cPanel would replace any customizations made to core files as part of the nightly update.
I fully realise this, and this could potentially raise its own problems if CPanel makes significant changes to that codebase. Hmmm..... I will submit a feature request for this. adding PGP or similar encryption to .tar.gz file creation is extremely easy and as I said, using the existing password for the account would mean the password is consistent and not nessecarily known to the employees or owners of the destination storage location.

Cheerrs