The following script will compress a directory and all sub directories, encrypt it and then send it remotely to another server. The transfer is done securely using scp & the file it sends is already encrypted using openssl. Your secure while sending and the file sent is encrypted even if the host machine is compromised. Ideal for backing up to a cheap VPS or shared platform.
The script is designed to be run outside of public readable / web space as your encryption password is stored in plain text. You can set it to prompt for the encryption password rather than have it stored in the script but this isn’t really practical for scheduled backups.
If you set the script to be read and run by root only and house it outside of web readable directories it should be pretty safe. If someone gets access to the script on your machine to get the encryption password stored within then you’ve probably got more important problems to worry about!
#!/bin/bash # Remote backup script from host to destination server # Configured for private / public authentification but easy to change to password based # This sets the working directory for the script cd /path/to/this/script_on_your_server/ # compresses the directory and all of its subsequent subdirectories # and saves it with the filename that you specify tar cvzf name_of_your_tar_file.tgz /the/dir/to_be/compressed/ >/dev/null 2>&1 # Encrypts the file that we just created and add date information. # Also set the encryption password so that we can decrpyt it later! openssl aes-256-cbc -a -salt -in *.tgz -out SQL-$(date +%d%m%y).tgz.enc -k Your-Encryption-Password # Remove the now un-needed and un-encrypted tgz file rm *.tgz # Now we are set to send the file via scp to our destination server # If scp fails we will retry 5 times before failing # There is a 2 minute delay after a failed connection - sleep 120 # We are also limiting the speed to a max of 4MB/s -l 40000 n=0 until [ $n -ge 5 ] do scp -l 40000 -i /youruser/.ssh/yourkey.rsa *.enc yourusername@your-destination.net:remote/directory [ $? -eq 0 ] && break n=$[$n+1] sleep 120 done # Finally, remove the encrypted file now that the backup has finished rm *.enc
A working example to create and encrypt the /var/www/httpdocs/ directory on the server that the script is running on. The encryption password is set to “grapefruit”. Then we will send it to the /backup/websites/ directory on the remote server. The username that we are connecting to the remote account as is “steve”
cd /root/backups/ tar cvzf websites.tgz /var/www/httpdocs/ >/dev/null 2>&1 openssl aes-256-cbc -a -salt -in *.tgz -out SQL-$(date +%d%m%y).tgz.enc -k mypassword rm *.tgz n=0 until [ $n -ge 5 ] do scp -l 40000 -i /root/.ssh/pvtkey.rsa *.enc steve@anotherserver.net:backup/websites [ $? -eq 0 ] && break n=$[$n+1] sleep 120 done rm *.enc
