This utility is designed to genarate a compressed, secure, single-file backup of highly sensitive data, e.g. encryption keys, api keys, etc.
This is done by using a combination of tar (with and without xz compression) and GPG.
- For each discrete directory and/or file, generate an xz compressed tarball
- GPG encrypt aforementioned tarball; you may choose to encrypt each discrete tarball one of two ways:
- Asymetrically: You may choose which GPG recipients (via email or key ID) may decrypt all discrete tarballs
- Symmetrically: You may choose a passphrase for each discrete tarball
- All discrete tarballs are
tar
'd into a single (uncompressed) tarball - Final tarball is
chmod
'd to0600
and is ready to be safely stored wherever
- Clone the git repo where you want to run the tool from (e.g.
~/.backup
)
git clone git@github.com/bryanchriswhite/.backup ~/.backup ## Replace "~/.backup" with the desired destination (optional)
cd !!:3 ## Change directory to the destination (for subsequent steps [optional])
- Copy the
config.example
file toconfig
cp config.example config
- Modify the newly created
config
file's variables to suite your requirements; see the configure section below - Add the
bin
directory to your path
echo 'PATH=$PATH:~/.backup/bin # Assumes clone destination is `~/.backup`' >> ~/.bashrc # Or .zshrc, etc.
NOTE: File bin/.backup
is a symlink so you may rename the command avialble via your path simply by renaming this file
The config
file contains the following variables:
Variable Name | Purpose | Example |
---|---|---|
BACKUP_OUTPUT_DIR |
Destination where final tarball will be output (NOTE: must not have a trailing / ) |
$HOME/.backup/output |
BACKUP_OUTPUT_FILE |
Final output tarball filename | .keys_backup.tar |
RECIPIENTS |
Space delimited list of email addresses or GPG key IDs to be used for all asymmetric encryption of discrete tarballs | bryanchriswhite@gmail.com bryan@liminal.ly (NOTE: space delimited) |
SIGNEE |
Email address (or key ID) of private key used to sign both asymmetrically and symmetrically encrypted discrete tarballs (only one signature can be used for all tarballs) | bryanchriswhite@gmail.com |
ASYM_INPUTS |
Newline delimited list of all discrete directories/files to be tar 'd, compressed, and asymmetrically encrypted in step 1 (such that RECIPIENTS are able to decrypt them) |
$HOME/.ssh $HOME/.aws $HOME/.password-store (NOTE: new line delimited) |
SYM_INPUTS |
Newline delimited list of all discrete directories/files to be tar 'd, compressed, and symmetrically encrypted in step 1 using a passphrase; (you will be prompted to enter a passphrase for each discrete directory/file [i.e. line in this multi-line variable]) |
$HOME/.gnupg (NOTE: new line delimited) |
Now that you've configured your installation you may simply run the script:
.backup` # Or whatever you renamed `bin/.backup` to
You may need to give yourself execute permission on the .bin/.backup
file: chmod u+x .bin/.backup.sh
(still assuming you cloned into ~/.backup
and are cd
'd there)