Encrypting Backups

Step‑by‑Step: Piping Backup Streams Through GPG

Backing up a directory to tape or a CD‑ROM while keeping the data encrypted is simpler than it sounds if you stream the data through GPG as it is being written. The technique relies on three core utilities that are available on almost every Linux system: tar to archive, gpg to encrypt, and dd or cdrecord to write to the target device. Because the encryption happens in real time, you never have to store the unencrypted archive on disk, which cuts the risk of accidental exposure.

Below is the canonical pipeline for a tape backup. Replace /dev/tape with the actual device name you are using. The block size of 10 kB matches the default for many tape drives and balances speed with error detection.

The command breaks down into three stages:

• tar cf - mydir writes the contents of mydir to standard output in tar format.
• gpg -c encrypts that stream interactively, prompting for a passphrase.
• dd consumes the encrypted stream and pushes it straight to the tape device.

  Restoring the same backup is symmetrical. The data is read from the tape, decrypted, and finally extracted:

  Prompt

  $ dd if=/dev/tape bs=10k | gpg --decrypt | tar xf -</p>

  Because gpg works as a filter, the entire operation requires no intermediate storage; only the tape or CD‑ROM holds the encrypted data. That means you can set up a cron job to run this pipeline nightly or weekly without worrying about filling up a disk. The only thing you need to keep safe is the passphrase, so store it in a password manager or a secure, access‑controlled file.

  When the destination is a CD‑ROM rather than tape, the procedure is similar but you create a temporary directory to hold the encrypted archive before burning it. Here is a typical script:

  Prompt

  #!/bin/sh</p> <p>mkdir -p destdir</p> <p>tar cf - mydir | gpg -c > destdir/myfile.tar.gpg</p> <p>mkisofs -R -l destdir | cdrecord speed=${SPEED} dev=${SCSIDEVICE} -</p>

  Replace ${SPEED} and ${SCSIDEVICE} with the values that match your hardware. The mkisofs command creates a CD‑ROM image with Rock‑Ridge extensions for POSIX compatibility, while cdrecord writes that image to the drive. Note that the temporary directory destdir only contains the encrypted archive; it is erased after the burn completes. If you prefer to keep a backup of the encrypted file on the host, leave the directory in place.

  Using the streaming approach has several advantages:

  • No unencrypted tarball is written to the host file system.
  • The backup can be performed on systems with limited disk space.
  • Encryption is done on the fly, eliminating an extra copying step.

    The main drawback is the lack of resilience against corruption. Because the entire archive is a single encrypted blob, any damage to the tape or CD surface can make the whole backup unreadable. In the next section we explore a method that mitigates that risk by encrypting each file individually.

    Alternative: File‑by‑File Encryption with Hard or Symbolic Links