Backup Encryption

How to encrypt & decrypt your backups

When you choose an encryption key for your file and database backups, the resulting backup will be encrypted via AES-256 and can only be decrypted using the same key you used.

Behind the scenes, OpenSSL is used and takes care of the encryption for you.

This works best when backups are also streamed ("Backup Streaming" is enabled) since it will happen on the fly and the backup output will not even exist unencrypted at any point in time during the backup state's transition.


Encrypting your backup

Here's a step-by-step guide on how to generate a private key and obtain a PEM public key to use with SimpleBackups:

1. Create the private key

To encrypt your backups, you need to generate a private key first. To do this, open the terminal on your computer and enter the following command:

openssl genrsa -aes256 -out private-key.pem 4096

This command generates an RSA private key that is 4096 bits long. The output file, private-key.pem, is encrypted with AES256. You'll be prompted to enter a password that will be used to protect your private key file. We recommend using a strong passphrase to ensure the security of your private key.

Generating RSA private key, 4096 bit long modulus... Enter pass phrase for private-key.pem:

2. Get the PEM public key to use

Once you have generated the private key, you will need to obtain the corresponding PEM public key. To do this, run the following command:

openssl rsa -in private-key.pem -pubout > public-key.pem

This command generates a PEM public key file that you will use to encrypt your backups. The public key can be safely distributed, while the private key must be kept secret.

After running the command, you will need to copy and paste the contents of the public-key.pem file into SimpleBackups' encryption key field.

cat public-key.pem

3. Save your private key

It is important to keep your private key file safe and secure. We recommend storing it in a password-protected location, such as an encrypted USB device or a secure cloud storage service.

4. Encrypt your backups

You can now use the PEM public key to encrypt your backups. Simply enter the contents of the public-key.pem file into SimpleBackups' encryption key field. When you run the backup, SimpleBackups will use the public key to encrypt your data.

To restore your backups, you will need to use the private key to decrypt the data. Make sure to keep your private key file safe and secure, and do not share it with anyone.

Decrypting AES-encrypted backup

  • Download your encrypted backup
  • Download the AES encryption passphrase
  • Decrypt the encryption passphrase using your RSA private key
  • Decrypt your backup using the decrypted passphrase
Download the AES encryption passphrase
Download the AES encryption passphrase

Step 1. Decrypt your encryption passphrase first using the following command:

cat encryption-passphrase.pass | base64 -d | openssl rsautl -decrypt -inkey private-key.pem -out decryption-passphrase.txt

Where private-key.pem is your private key (you never share it with anyone), encryption-passphrase.pass is the encrypted passphrase used to encrypt your backup via AES-256.


Step 2. Finally, to decrypt your backup, you could use the following command:

openssl enc -d -aes-256-cbc -md sha512 -in encrypted-file-from-simplebackups.sql.gz -out decrypted-file.sql.gz -pass file:/home/path/decryption-passphrase.txt

Where encrypted-file-from-simplebackups.sql.gz is your encrypted SimpleBackups backup archive, decryption-passphrase.txt is the decrypted passphrase which will decrypt your backup.

The encryption-passphrase.pass can only be decrypted using your RSA private key
Your backup can only be decrypted using the decrypted encryption-passphrase.pass
We store your encryption-passphrase.pass on our side, it is unique per backup run
You are responsible for securing, and keep your private-key.pem, private
No one can read or decrypt your encrypted backups, except you

How backup encryption works?

We use AES-256 to encrypt your backups using your key via OpenSSL. Using this method is highly recommended, since you are the only one who can actually read your own backups, no one else can.


High-level overview:

  • Provide an RSA asymmetric public key
  • SimpleBackups uses this RSA key to encrypt a random passphrase at runtime
  • SimpleBackups, then, encrypts your backup on the fly on its way to your storage
  • Files resting on your storage are encrypted by AES-256 and are unreadable
  • Download your backup and decrypt it using your private key and the encryption passphrase

What happens if I lose my private encryption key?

You will LOSE access to your encrypted backup, and will not be able to decrypt it. No one can help in this situation. It is extremely important that you keep your private key safe, and never lose it.


Can I use an RSA SSH public key, not in PEM format?

No. You can use this command to convert a private SSH key into the public RSA PEM key:

ssh-keygen -f ~/.ssh/id_rsa -e -m pkcs8 > id_rsa.pem

Note: you need the private SSH key, you cannot convert a public SSH key ( to PEM.


Did this answer your question?