Introduction
Encrypting your FreeBSD backups is crucial for protecting sensitive data from unauthorized access. This guide will walk you through various methods to encrypt your backups, ensuring that your data remains secure both at rest and during transmission.
1. Using GPG for File Encryption
GNU Privacy Guard (GPG) is a versatile tool for encrypting individual files or archives:
1.1 Encrypting a backup file
# Encrypt a tar archive
$ tar czf - /path/to/backup | gpg --symmetric --cipher-algo AES256 -o backup.tar.gz.gpg
# Decrypt the backup
$ gpg -d backup.tar.gz.gpg | tar xzf -
1.2 Using GPG with public key encryption
# Generate a key pair if you haven't already
$ gpg --full-generate-key
# Encrypt using recipient's public key
$ gpg --encrypt --recipient
[email protected] backup.tar.gz
# Decrypt (requires your private key)
$ gpg --decrypt backup.tar.gz.gpg > backup.tar.gz
Tip: Always keep your private key secure and never share it. Consider using a hardware security key for added protection.
2. Disk-Based Encryption with GELI
GELI is FreeBSD's disk encryption subsystem, useful for encrypting entire disks or partitions:
# Initialize GELI on a partition
$ geli init -s 4096 -l 256 /dev/da0p1
# Attach the encrypted provider
$ geli attach /dev/da0p1
# Create a filesystem on the encrypted provider
$ newfs /dev/da0p1.eli
# Mount the encrypted filesystem
$ mount /dev/da0p1.eli /mnt/encrypted_backup
Warning: Losing the GELI key will make your data irrecoverable. Always keep secure backups of your encryption keys.
3. ZFS Encryption
If you're using ZFS, you can take advantage of its native encryption capabilities:
# Create an encrypted ZFS dataset
$ zfs create -o encryption=on -o keyformat=passphrase zroot/encrypted_backup
# Backup to the encrypted dataset
$ zfs send zroot/data@snapshot | zfs recv zroot/encrypted_backup/data
# Unmount and unload the key when not in use
$ zfs unmount zroot/encrypted_backup
$ zfs unload-key zroot/encrypted_backup
Tip: Consider using a key file instead of a passphrase for automated backups. Ensure the key file itself is properly secured.
4. Encrypted Backups to Remote Locations
4.1 Using scp with GPG
# Encrypt and transfer in one command
$ tar czf - /path/to/backup | gpg --symmetric --cipher-algo AES256 | ssh user@remote 'cat > backup.tar.gz.gpg'
4.2 Using rsync with encrypted tunnel
# Use rsync over an SSH tunnel
$ rsync -avz -e ssh /path/to/backup/ user@remote:/path/to/destination/
5. Encrypting Backups to Cloud Storage
5.1 Using rclone with encryption
# Configure rclone with encryption
$ rclone config
# Sync to encrypted remote
$ rclone sync /local/path encrypted-remote:backup
5.2 Using restic
restic is a backup program that supports encryption out of the box:
# Initialize a restic repository
$ restic init --repo /path/to/backup
# Backup files
$ restic -r /path/to/backup backup /data/to/backup
# Restore files
$ restic -r /path/to/backup restore latest --target /path/to/restore
6. Best Practices for Encrypted Backups
- Use strong, unique passwords or passphrases for each encrypted backup
- Regularly rotate encryption keys and update passwords
- Store encryption keys and passphrases securely, separate from the backups
- Test decryption and restoration processes regularly
- Consider using multiple encryption methods for critical data
- Keep encrypted backups in geographically diverse locations