Database backups on Engine Yard Cloud can be encrypted with the PGP public keys of your choice.
This feature uses GNU Privacy Guard, which is an implementation of the OpenPGP standard. GnuPG is a command line tool that allows you to encrypt and sign your data and communications using a key management system and provides access modules to public key directories.
You need to be using the January 22, 2013 stack release (or later) before you can use this feature. Remember that every environment associated with your app must be upgraded.
Get started with PGP encrypted database backups
This document describes how to use PGP encrypted database backups in the Engine Yard Cloud environment:
- Enable the encrypted database backup feature
- Configure encrypted database backups
- Restore from an encrypted database backup
Enable the encrypted database backup feature
You need to enable the Early Access feature before you can participate in the program.
To enable the encrypted database backup Early Access
Log in to your Engine Yard Cloud account.
On the dashboard, click Tools > Early Access on the toolbar.
Next to the Encrypted db backups feature, click Enable.
The related functionality becomes available.
Configure encrypted database backups
Important: You need to upgrade to the January 22nd stack release (or later) before you can use this feature. We recommend testing the upgrade in a staging environment before applying these changes in your production environment.
Run the following commands on your local machine.
To configure encrypted database backups
If you don't already have GnuPG installed, you'll need to download and install it from: http://www.gnupg.org/download/
Generate the PGP key pair:
This is an interactive process and you will be prompted for several pieces of information. For most elements, the defaults are fine. You will need to provide: name, email, comment, and a passphrase.
From the command line:
GnuPG generates the PGP key pair (key pair: secret and public key).
Securely store or share the PGP secret key with members of your team. It might be helpful to also leave a copy of this on the EBS volume
'/db'. This must be completed before applying the changes to the application.
Warning: Do not store this only on the instance; once this change is in place, this is the ONLY way to decrypt the backups.
gpg --export-secret-keys > keyfile.sec
Verify the key generation by listing the keys:
domU-1234-64-A5 tmp # gpg --list-keys /home/deploy/.gnupg/pubring.gpg ------------------------ pub 1024D/1EE09942 2013-01-23 uid Tyler EY (This left intentionally blank) <email@example.com> sub 2048g/D578814D 2013-01-23
Export the PGP public key by using the email address specified in the key generation:
gpg --export -a [firstname.lastname@example.org]
This exports the PGP public key to the command line. You can now use the key in Engine Yard Cloud.
Copy the entire content of the key from the command line including the ---- lines at the beginning and the end.
Navigate to the Application > Edit Application page.
Paste the key into GnuPG Public Key for Backups.
Click Update Application.
Once the app update completes, the regularly scheduled backups will be encrypted automatically.
Note: If you manually run backup from the command line, that backup will not automatically be encrypted unless you run the command as the root user, and with the same syntax as used by the root user crontab. (The GPG key is installed only under the root user by default.)
Restore from an encrypted database backup
You use the standard download and import methods. For an encrypted database backup, there is one additional step: decrypt the backup.
Use a machine that has the secret GnuPG key on it and follow these steps.
To extract an encrypted database backup
Use the eybackup database backup tool to download the database you need.
Import the secret key from the keyfile:
gpg --import keyfile.sec
Decrypt the database backup.
gpg -d [backup_filename]sql.gpz > [backup_filename].sql
gpg -d [backup_filename].dump.gpz > [backup_filename].dump
This backup file can now be used locally or uploaded back to your instances for a restore.
|For more information about...||See...|
|How to download a backup file||View and download database backups.|
|How to import the database||Restore or load a database.|
|SSHing into an instance||Connect to your instance via SSH.|
|Finding the password for your database||Find key information about your database.|
|GnuPG||GnuPG.org documentation sources.|