1. Installing PHPBU
Requirements
PHP Archive (PHAR)
Composer
Framework integrations
2. Configuration
XML-Configuration
List of tags
JSON-Configuration
Schedule backups
3. The Command-Line-Runner
Command-Line-Runner options
Simulation
4. Backup Sources
ArangoDB
MongoDB
MySQL - mysqldump
MySQL - xtrabackup
pgdump
redis
Directories
5. Backup Validation
Minimal size
Compare to previous Backups
6. Encryption
mcrypt
openssl
7. Sync Backups
Amazon S3
Dropbox
Rsync
SFTP / FTP
Softlayer Object Storage
8. Cleanup backups
Cleanup by capacity
Cleanup by date
Cleanup by quantity
9. Logging
JSON
E-Mail
10. Extending PHPBU
Executing and simulating
Create a custom Source
Create a custom Check
Create a custom Sync
Create a custom Cleaner
Create a custom Logger
Summary
11. Framework integrations
Laravel
Installation
Configuration
Usage
A. Index
B. Copyright

Chapter 6. Encryption

PHPBU can encrypt your backup using openssl or mcrypt.

Hint

If the choice is yours, I strongly recommend using openssl. Here is a good article explaining why.

Table 6.1. Available crypts:

TypeDescription
mcryptEncrypts your backup with the mcrypt command line tool.
opensslEncrypts your backup with the openssl command line tool.


mcrypt

Table 6.2. mcrypt options

NameValueRequiredDefaultDescription
algorithmstringyes-Algorithm to use to encrypt the backup.
keystringyes-Secret key to use for encryption.


Example 6.1: mcrypt XML example

<!-- encryption -->
<crypt type="mcrypt">
  <option name="algorithm" value="blowfish"/>
  <option name="key" value="mySecretKey"/>
</crypt>


Example 6.2: mcrypt JSON example

{
  "type": "mcrypt",
  "options": {
    "algorithm": "blowfish",
    "key": "mySecretKey"
  }
}


openssl

Please be sure to use only password or certFile.

Table 6.3. openssl options

NameValueRequiredDefaultDescription
passwordstringyes-Encrypt backup with 'openssl enc -pass...'.
certFilestringyes-Encrypt backup with 'openssl smime ... myCert.pem'.
algorithmstringyes- Algorithm to use to encrypt the backup. Attention you have to specify different algorithm names for using password and using a cert file.
keepUncryptedbooleannofalseDon't remove the uncrypted backup.
pathToOpenSSLstringno-Used to specify a special path to the openssl command.


Example 6.3: openssl XML example using password encryption

<!-- encryption -->
<crypt type="openssl">
  <option name="password" value="mySecretPassword"/>
  <option name="algorithm" value="aes-256-cbc"/>
</crypt>


Example 6.4: openssl JSON example using password encryption

{
  "type": "openssl",
  "options": {
    "password": "mySecretPassword",
    "algorithm": "aes-256-cbc"
  }
}


Example 6.5: openssl XML example using SSL cert encryption

<!-- encryption -->
<crypt type="openssl">
  <option name="certFile" value="ssl/MyCert.pem"/>
  <option name="algorithm" value="aes256"/>
</crypt>


Example 6.6: openssl JSON example using SSL cert encryption

{
  "type": "openssl",
  "options": {
    "certFile": "ssl/MyCert.pem",
    "algorithm": "aes256"
  }
}


Create a private key and a certificate pem file

To encrypt your backups with a cert file you have to create a private key and a certificate pem file. 

$ openssl req -x509 -new -days 100000 -key private.pem -out certificate.pem

The created certificate.pem is used to encrypt your backups and should be referenced in your phpbu configuration as certFile. The private.pem file is used to decrypt your backups.

Decrypt

Decrypt a cert file encoded backup

$ openssl smime -decrypt -aes256 -inform DER \
  -in backup.tar.bz2.enc \
  -out backup.tar.bz2 \
  -inkey private.pem

Decrypt a password encoded backup

$ openssl enc -d -a -aes-256-cbc \
  -in backup.tar.bz2.enc \
  -out backup.tar.bz2 \
  -pass pass:mySecretPassword
Please open a ticket on GitHub to suggest improvements to this page. Thanks!