Use PGP Encrypted Database Backups with Engine Yard Cloud

Database backups on Engine Yard Cloud can be encrypted with the PGP public keys of your choice.

This feature uses GNU Privacy Guard, which is an implementation of the OpenPGP standard. GnuPG is a command line tool that allows you to encrypt and sign your data and communications using a key management system and provides access modules to public key directories.

Prerequisite

You need to be using the January 22, 2013 stack release (or later) before you can use this feature. Remember that every environment associated with your app must be upgraded.

Get started with PGP encrypted database backups

Important: Once encrypted backups are enabled they will be encrypted using a PGP key pair. The public key will be used to encrypt the backup, whilst the private key is required for decryption. The private key will be unknown to Engine Yard and is the sole responsibility of the customer to store. We recommend storing the key in multiple secure locations, with a passphrase enabled, that being also recorded in a separate secure location. Without this key and passphrase it will not be possible to decrypt the DB backups.

This document describes how to use PGP encrypted database backups in the Engine Yard Cloud environment:

Configure encrypted database backups

Important: You need to upgrade to the January 22nd stack release (or later) before you can use this feature. We recommend testing the upgrade in a staging environment before applying these changes in your production environment.

Run the following commands on your local machine.

To configure encrypted database backups

  1. If you don't already have a GnuPG application installed, you'll need to download and install one from: http://www.gnupg.org/download/. We recommend Gpg4win for Windows and Mac GPG for macOS.

  2. Generate the PGP key pair:

    This is an interactive process and you will be prompted for several pieces of information. For most elements, the defaults are fine. You will need to provide: name, email, comment, and a passphrase.

    Note: - This is something to be done on your local machine and not on the EY instance

    From the command line:

    gpg --gen-key

    GnuPG generates the PGP key pair (key pair: secret and public key).

  3. Securely store or share the PGP secret key with members of your team. It might be helpful to also leave a copy of this on the EBS volume '/db'. This must be completed before applying the changes to the application.

    Warning: Do not store this only on the instance; once this change is in place, this is the ONLY way to decrypt the backups.

    gpg --export-secret-keys > keyfile.sec
  4. Verify the key generation by listing the keys:

    gpg --list-keys
    domU-1234-64-A5 tmp # gpg --list-keys
    /home/deploy/.gnupg/pubring.gpg
    ------------------------
    pub   1024D/1EE09942 2013-01-23
    uid                  Tyler EY (This left intentionally blank) <notreal@engineyard.com>
    sub   2048g/D578814D 2013-01-23
  5. Export the PGP public key by using the email address specified in the key generation:

    gpg --export -a [user@domain.com]

    This exports the PGP public key to the command line. You can now use the key in Engine Yard Cloud.

  6. Copy the entire content of the key from the command line including the ---- lines at the beginning and the end.

  7. For an existing application navigate to the Application > Edit Application page. For a new application use the Add Application button as usual.

  8. Paste the key into GnuPG Public Key for Backups.

    GnuPGPublicKey.png

  9. For an existing application click Update Application, then run an Apply on all environments hosting the application. For a new application click the Create Application button and move onto the environment configuration as usual.

    Note: If you manually run backup from the command line, that backup will not automatically be encrypted unless you run the command as the root user, and with the same syntax as used by the root user crontab. (The GPG key is installed only under the root user by default.)

Key Rotation

Important: Make sure if you have a backup of the old key as it would be required to restore the previously encrypted backups.

Check if there is any expired records for the key (On your local machine).

gpg --list-keys

Once done, remove the old/expired key

gpg --delete-secret-and-public-keys <key-id>

Revalidate the keys with

gpg --list-keys

Once done, export the keys with,

gpg --export-secret-keys > keyfile.sec
gpg --export -a <e-mail>

Afterwards, consider moving with the step 6 onwards in the previous section 

Confirm encrypted status

To confirm that backups are set to be encrypted:

Check the crontab of the instance configured to run the backup (this being the DB master by default, but customisable via Chef):

sudo crontab -l

You should see the encryption key being called by the backup job:

eybackup -e mysql -k XXXXXXX >> /var/log/eybackup.log 2>&1

If not then ensure an Apply has be run on the environments, then contact Support for further assistance.

To confirm that the backups taken are encrypted:

Once the first backup has run after encryption is enabled, run the following command on any DB instance in the environment:

sudo -i eybackup -e _db_type_ --list-backup _appname_

Where db_type is either msyql or postgresql and appname is the name of the application whose backups you wish to check. The most recent backup should have the extension sql.gpz or dump.gpz rather than the previous sql.gz or dump.

Testing encrypted backups

We highly recommend testing out the decryption process on encrypted backups ASAP so that you can be sure you will be able to decrypt them and so you still have unencrypted backups available if needed. This can be done by following the Restore instructions below.

Back up on demand

To perform an on-demand backup when encryption is in place you must provide the key as a part of the backup command:

sudo -i eybackup -e _db_type_ -k XXXXXXX -n

Where db_type is either msyql or postgresql and XXXXXXX is the public key ID found via the crontab command in the Confirm encrypted status section.

Restore from an encrypted database backup

You use the standard download and import methods. For an encrypted database backup, there is one additional step: decrypt the backup.

Use a machine that has the secret GnuPG key on it and follow these steps.

To extract an encrypted database backup

  1. Use the eybackup database backup tool to download the database you need.

  2. Import the secret key from the keyfile:

    gpg --import keyfile.sec
  3. Decrypt the database backup.

    For MySQL:

    gpg -d [backup_filename]sql.gpz > [backup_filename].sql

    For PostgreSQL:

    gpg -d [backup_filename].dump.gpz > [backup_filename].dump

    This backup file can now be used locally or uploaded back to your instances for a restore.

More information

For more information about... See...
How to download a backup file View and download database backups.
How to import the database Restore or load a database.
SSHing into an instance Connect to your instance via SSH.
Finding the password for your database Find key information about your database.
GnuPG GnuPG.org documentation sources.

If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

Comments

Article is closed for comments.