Database backups on Engine Yard Cloud can be encrypted with the PGP public keys of your choice.
This feature uses GNU Privacy Guard, which is an implementation of the OpenPGP standard. GnuPG is a command line tool that allows you to encrypt and sign your data and communications using a key management system and provides access modules to public key directories.
You need to upgrade to the January 22nd stack release (or later) before you can use this feature. Remember that every environment associated with your app must be upgraded.
You need to enable the Early Access feature before you can participate in the program.
To enable the encrypted database backup Early Access
Log in to your Engine Yard Cloud account.
On the dashboard, click Tools > Early Access on the toolbar.
Next to the Encrypted db backups feature, click Enable.
The related functionality becomes available.
Configure encrypted database backups
Important: You need to upgrade to the January 22nd stack release (or later) before you can use this feature. We recommend testing the upgrade in a staging environment before applying these changes in your production environment.
This is an interactive process and you will be prompted for several pieces of information. For most elements, the defaults are fine. You will need to provide: name, email, comment, and a passphrase.
From the command line:
GnuPG generates the PGP key pair (key pair: secret and public key).
Securely store or share the PGP secret key with members of your team. It might be helpful to also leave a copy of this on the EBS volume '/db'. This must be completed before applying the changes to the application.
Warning: Do not store this only on the instance; once this change is in place, this is the ONLY way to decrypt the backups.
gpg --export-secret-keys > keyfile.sec
Verify the key generation by listing the keys:
domU-1234-64-A5 tmp # gpg --list-keys
pub 1024D/1EE09942 2013-01-23
uid Tyler EY (This left intentionally blank) <firstname.lastname@example.org>
sub 2048g/D578814D 2013-01-23
Export the PGP public key by using the email address specified in the key generation:
gpg --export -a [email@example.com]
This exports the PGP public key to the command line. You can now use the key in Engine Yard Cloud.
Copy the entire content of the key from the command line including the ---- lines at the beginning and the end.
Navigate to the Application > Edit Application page.
Paste the key into GnuPG Public Key for Backups.
Click Update Application.
Once the app update completes, the regularly scheduled backups will be encrypted automatically.
Note: If you manually run backup from the command line, that backup will not automatically be encrypted unless you run the command as the root user, and with the same syntax as used by the root user crontab. (The GPG key is installed only under the root user by default.)
Restore from an encrypted database backup
You use the standard download and import methods. For an encrypted database backup, there is one additional step: decrypt the backup.
Use a machine that has the secret GnuPG key on it and follow these steps.