Knowledge Base/Engine Yard Early Access/Early Access

Use PGP Encrypted Database Backups with Engine Yard Cloud

Keri Meredith
posted this on December 18, 2012 10:47 AM

Updated: March 18th, 2013

Database backups on Engine Yard Cloud can be encrypted with the PGP public keys of your choice.

This feature uses GNU Privacy Guard, which is an implementation of the OpenPGP standard. GnuPG is a command line tool that allows you to encrypt and sign your data and communications using a key management system and provides access modules to public key directories.

Prerequisite

You need to upgrade to the January 22nd stack release (or later) before you can use this feature. Remember that every environment associated with your app must be upgraded.

Get help or provide feedback

If you have any issues or questions about this Early Access feature, use the Early Access Feature Feedback forum.

Get started with PGP encrypted database backups

This document describes how to use PGP encrypted database backups in the Engine Yard Cloud environment:

Enable the encrypted database backup feature

You need to enable the Early Access feature before you can participate in the program.

To enable the encrypted database backup Early Access

  1. Log in to your Engine Yard Cloud account.

  2. On the dashboard, click Tools > Early Access on the toolbar.

    Tools_EarlyAccess.png

  3. Next to the Encrypted db backups feature, click Enable.

    The related functionality becomes available.

Configure encrypted database backups

Important: You need to upgrade to the January 22nd stack release (or later) before you can use this feature. We recommend testing the upgrade in a staging environment before applying these changes in your production environment.

Run the following commands on your local machine.

To configure encrypted database backups

  1. If you don't already have GnuPG installed, you'll need to download and install it from: http://www.gnupg.org/download/

  2. Generate the PGP key pair:

    This is an interactive process and you will be prompted for several pieces of information. For most elements, the defaults are fine. You will need to provide: name, email, comment, and a passphrase.

    From the command line:

    gpg --gen-key

    GnuPG generates the PGP key pair (key pair: secret and public key).

  3. Securely store or share the PGP secret key with members of your team. It might be helpful to also leave a copy of this on the EBS volume '/db'. This must be completed before applying the changes to the application.

    Warning: Do not store this only on the instance; once this change is in place, this is the ONLY way to decrypt the backups.

    gpg --export-secret-keys > keyfile.sec
  4. Verify the key generation by listing the keys:

    gpg --list-keys
    domU-1234-64-A5 tmp # gpg --list-keys
    /home/deploy/.gnupg/pubring.gpg
    ------------------------
    pub   1024D/1EE09942 2013-01-23
    uid                  Tyler EY (This left intentionally blank) <notreal@engineyard.com>
    sub   2048g/D578814D 2013-01-23
  5. Export the PGP public key by using the email address specified in the key generation:

    gpg --export -a [user@domain.com]

    This exports the PGP public key to the command line. You can now use the key in Engine Yard Cloud.

  6. Copy the entire content of the key from the command line including the ---- lines at the beginning and the end.

  7. Navigate to the Application > Edit Application page.

  8. Paste the key into GnuPG Public Key for Backups.

    GnuPGPublicKey.png

  9. Click Update Application.

    Once the app update completes, the regularly scheduled backups will be encrypted automatically.

    Note: If you manually run backup from the command line, that backup will not automatically be encrypted unless you run the command as the root user, and with the same syntax as used by the root user crontab. (The GPG key is installed only under the root user by default.)

Restore from an encrypted database backup

You use the standard download and import methods. For an encrypted database backup, there is one additional step: decrypt the backup.

Use a machine that has the secret GnuPG key on it and follow these steps.

To extract an encrypted database backup

  1. Use the eybackup database backup tool to download the database you need.

  2. Import the secret key from the keyfile:

    gpg --import keyfile.sec
  3. Decrypt the database backup.

    For MySQL:

    gpg -d [backup_filename]sql.gpz > [backup_filename].sql

    For PostgreSQL:

    gpg -d [backup_filename].dump.gpz > [backup_filename].dump

    This backup file can now be used locally or uploaded back to your instances for a restore.

More information

For more information about...See...
How to download a backup file View and download database backups.
How to import the database Restore or load a database.
SSHing into an instance Connect to your instance via SSH.
Finding the password for your database Find key information about your database.
GnuPG GnuPG.org documentation sources.

If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.