Encryption of barman backups

[G Johnston]

Hi,

I'm a real newcomer to postgres with about 3 months experience.

I'm working for a company that is using Postgres 9.4 as the database backend for a new cloud based solution that we are developing.

Backup & Recovery is obviously one of our key concerns so i was delighted to come across such an easy to install, configure and use tool such as barman.

However, we need to be able encrypt our backups at rest and i do not see features provided for this in the barman documentation.

Nor does a google for barman encryption turn up any useful resources.

Therefore, i'd be very grateful if anyone could advise what if any encryption or security features barman provides or if anyone with similar

backup security requirements could tell me how they went about securing the backups on their barman backup server.

Regards,

George Johnston

[Chad Anderson]

Hey George,

We have similar requirements here and have solved it multiple ways in
the past. Full Disk Encryption is always an option and is super easy if
you're just looking to meet some encryption requirements. Another option
would be to use a post-backup hook script to send each backup folder
through GZIP, then GPG. I'd assume you'd have to sacrifice some of the
benefits of backup reuse in that case. As far as I'm aware there isn't
any built-in encryption magic for barman.

--
Chad Anderson

[Joseph Kregloh]

Going along with the previous suggestion. You can setup your backups to be saved into a ZFS filesystem which you have encryption enabled.

-Joseph Kregloh

--
--
You received this message because you are subscribed to the "Barman for PostgreSQL" group.
To post to this group, send email to pgba...@googlegroups.com
To unsubscribe from this group, send email to
pgbarman+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/pgbarman?hl=en?hl=en-GB

--- You received this message because you are subscribed to the Google Groups "Barman, Backup and Recovery Manager for PostgreSQL" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pgbarman+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[EllieDBA]

Hello,  i am trying to find a way to encrypt the Barman backups,  seems this thread is about three years back,  no sure if Barman has build-in encryption feature already ?  Or still have to use the other file encryption solution to encrypt barman backups ?  Thanks.

[Stephen Amell]

Hi, Same here, I'm working on it...

Barman don't have crypt functions at this moment.

My workaround is:

- at this moment, I'm using LUKS over the barman data folder via OS
- and gpg to the files exported to glacier (a tar workaround)

Diego,

On 2018-07-09 15:49, EllieDBA wrote:

Hello,  i am trying to find a way to encrypt the Barman backups,  seems this thread is about three years back,  no sure if Barman has build-in encryption feature already ?  Or still have to use the other file encryption solution to encrypt barman backups ?  Thanks.

[EllieDBA]

Very helpful info Diego,  especially sounds like you also running Barman in AWS,  can you share more details ?  Appreciate !

[Stephen Amell]

Hi again!

In my previous post says:

- at this moment, I'm using LUKS over the barman data folder via OS
- and gpg to the files exported to glacier (a tar workaround)

For "at this moment, I'm using LUKS over the barman data folder via OS"

LUKS, basically encrypt the partition where is the barman home/work folder.
Pros: have a very low impact in the performance (about 5%). Cons is you need to open and mount the partition on every reboot.

You can see:

Super resume of lunks intall:

yum install cryptsetup-luks
cryptsetup -y -v luksFormat /dev/sdb
yourVerySecurePWD!
cryptsetup luksOpen /dev/sdb BARMAN
ls -l /dev/mapper/BARMAN
dd if=/dev/zero of=/dev/mapper/BARMAN status=progress bs=4MB --> think about this before procede.
mkfs.xfs /dev/mapper/BARMAN

# lsblk
NAME                                            MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
fd0                                               2:0    1    4K  0 disk
sda                                               8:0    0   25G  0 disk
├─sda1                                            8:1    0    1G  0 part  /boot
└─sda2                                            8:2    0   24G  0 part
  ├─centos-root                                 253:0    0    7G  0 lvm   /
  ├─centos-swap                                 253:1    0    2G  0 lvm   [SWAP]
  ├─centos-var                                  253:2    0   10G  0 lvm
  │ └─luks-4dc4da9f-2bca-46a8-9d3d-1b8976a82eef 253:4    0   10G  0 crypt /var
  └─centos-home                                 253:3    0    5G  0 lvm   /home
sdb                                              8:16    0  120G  0 disk
└─BARMAN                                        253:5    0  120G  0 crypt /home/barman
sr0                                              11:0    1 55.2M  0 rom


# df -hP
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root  7.0G  1.8G  5.3G  25% /
devtmpfs                 3.9G     0  3.9G   0% /dev
tmpfs                    3.9G     0  3.9G   0% /dev/shm
tmpfs                    3.9G   17M  3.9G   1% /run
tmpfs                    3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/sda1               1014M  171M  843M  17% /boot
/dev/mapper/centos-home  5.0G   33M  5.0G   1% /home
/dev/dm-4                 10G  297M  9.7G   3% /var
/dev/mapper/BARMAN        12T  330G   12T   1% /home/barman
tmpfs                    783M     0  783M   0% /run/user/0

config barman to "save my files inside of /home/barman" ;P

and at this moment, you have all local data secured.

For - and gpg to the files exported to glacier (a tar workaround)

We work with "pre_delete" hook, to run a bash.
barman have a 30 days of retention in my default config.
I called it "hot recovery", after, I need to restore glacier called it "cold recovery" every with his own SLA.

this bash works, in a alpha version, this way:

1. identifico el backup
   barman list-files TestBKP 20180702T200002 (oldest)

2. lo tareo
   tar czf TestBKP-20180702T200002.tar.gz $(barman list-files  TestBKP 20180702T200002)

3. lo encripto
   cat ~/.ssh/barman.gpg.priv | gpg -c --passphrase-fd 0 --batch --yes --symmetric TestBKP-20180702T200002.tar.gz

4. Lo subo a glacier
   aws glacier upload-archive --vault-name Barman --account-id 0000000000039 --archive-description '2018-07-03 DAF TestBKP-20180702T200002' --body TestBKP-20180702T200002.tar.gz.gpg

5. Save the output in a db for future recoverys, is more easy searh in your system instead wait the times of glacier

The recover part is manual:

$ aws glacier initiate-job --vault-name CxBarman --account-id 0000000000039  --job-parameters '{"Type": "archive-retrieval", "ArchiveId": "IXD--TdcQSeClHDJgWssz-aw4A"}'

ouput:
{
    "location": "/0000000000039/vaults/Barman/jobs/NuTRbWypRqiocw5ElNetAcCtlnKl5R7C1N",
    "jobId": "NuTRbWypRqiocw5ElNetAcCtlnKl5R7C1N"


This may take 6 hs...

$ aws glacier list-jobs --account-id - --vault-name Barman
use this command to check  if the retrieval job is complete.

$ aws glacier get-job-output --vault-name CxBarman --account-id 051195520539 --job-id NuTRbWypRqiocw5ElNetAcCtlnKl5R7C1N TestBKP-20180702T200002.tar.gz.gpg.restored

now you have the restore.

I'm here now, and this is my idea working on alpha , I will have change this in the future, but is a point to start

When install "aws cli" some errors appears like: "barman 2.4 has requirement python-dateutil<2.7.0, but you'll have python-dateutil 2.7.3 which is incompatible." but every works ;P

Please, send any comments / ideas / bad ideas too / etc

 

On 2018-07-11 17:19, EllieDBA wrote:

Very helpful info Diego,  especially sounds like you also running Barman in AWS,  can you share more details ?  Appreciate !