How to encrypt & decrypt your backups
When you choose an encryption key for your file and database backups, the resulting backup will be encrypted via AES-256 and can only be decrypted using the same key you used.
Behind the scenes, OpenSSL is used and takes care of the encryption for you.
This works best when backups are also streamed ("Backup Streaming" is enabled) since it will happen on the fly and the backup output will not even exist unencrypted at any point in time during the backup state's transition.
Encrypting your backup
Here's a step-by-step guide on how to generate a private key and obtain a PEM public key to use with SimpleBackups:
1. Create the private key
To encrypt your backups, you need to generate a private key first. To do this, open the terminal on your computer and enter the following command:
openssl genrsa -aes256 -out private-key.pem 4096
This command generates an RSA private key that is 4096 bits long. The output file,
private-key.pem, is encrypted with AES256. You'll be prompted to enter a password that will be used to protect your private key file. We recommend using a strong passphrase to ensure the security of your private key.
Generating RSA private key, 4096 bit long modulus... Enter pass phrase for private-key.pem:
2. Get the PEM public key to use
Once you have generated the private key, you will need to obtain the corresponding PEM public key. To do this, run the following command:
openssl rsa -in private-key.pem -pubout > public-key.pem
This command generates a PEM public key file that you will use to encrypt your backups. The public key can be safely distributed, while the private key must be kept secret.
After running the command, you will need to copy and paste the contents of the
public-key.pem file into SimpleBackups' encryption key field.
3. Save your private key
It is important to keep your private key file safe and secure. We recommend storing it in a password-protected location, such as an encrypted USB device or a secure cloud storage service.
4. Encrypt your backups
You can now use the PEM public key to encrypt your backups. Simply enter the contents of the
public-key.pem file into SimpleBackups' encryption key field. When you run the backup, SimpleBackups will use the public key to encrypt your data.
Decrypting AES-encrypted backup
- Download your encrypted backup
- Download the AES encryption passphrase
- Decrypt the encryption passphrase using your RSA private key
- Decrypt your backup using the decrypted passphrase
Step 1. Decrypt your encryption passphrase first using the following command:
cat encryption-passphrase.pass | base64 -d | openssl rsautl -decrypt -inkey private-key.pem -out decryption-passphrase.txt
private-key.pem is your private key (you never share it with anyone),
encryption-passphrase.pass is the encrypted passphrase used to encrypt your backup via AES-256.
Step 2. Finally, to decrypt your backup, you could use the following command:
openssl enc -d -aes-256-cbc -md sha512 -in encrypted-file-from-simplebackups.sql.gz -out decrypted-file.sql.gz -pass file:/home/path/decryption-passphrase.txt
encrypted-file-from-simplebackups.sql.gz is your encrypted SimpleBackups backup archive,
decryption-passphrase.txt is the decrypted passphrase which will decrypt your backup.
encryption-passphrase.passcan only be decrypted using your RSA private key
encryption-passphrase.passon our side, it is unique per backup run
How backup encryption works?
We use AES-256 to encrypt your backups using your key via OpenSSL. Using this method is highly recommended, since you are the only one who can actually read your own backups, no one else can.
- Provide an RSA asymmetric public key
- SimpleBackups uses this RSA key to encrypt a random passphrase at runtime
- SimpleBackups, then, encrypts your backup on the fly on its way to your storage
- Files resting on your storage are encrypted by AES-256 and are unreadable
- Download your backup and decrypt it using your private key and the encryption passphrase
What happens if I lose my private encryption key?
You will LOSE access to your encrypted backup, and will not be able to decrypt it. No one can help in this situation. It is extremely important that you keep your private key safe, and never lose it.
Can I use an RSA SSH public key, not in PEM format?
No. You can use this command to convert a private SSH key into the public RSA PEM key:
ssh-keygen -f ~/.ssh/id_rsa -e -m pkcs8 > id_rsa.pem
Note: you need the private SSH key, you cannot convert a public SSH key (i.e.:
id_rsa.pub) to PEM.