Chapter 7. Encryption

PHPBU can encrypt your backup using openssl or mcrypt.

Hint

If the choice is yours, I strongly recommend using openssl. Here is a good article explaining why.

Table 7.1. Available crypts:

TypeDescription
mcryptEncrypts your backup with the mcrypt command line tool.
opensslEncrypts your backup with the openssl command line tool.


mcrypt

Table 7.2. mcrypt options

NameValueRequiredDefaultDescription
algorithmstringyes-Algorithm to use to encrypt the backup.
keystringyes-Secret key to use for encryption.


Example 7.1: mcrypt XML example

<!-- encryption -->
<crypt type="mcrypt">
  <option name="algorithm" value="blowfish"/>
  <option name="key" value="mySecretKey"/>
</crypt>


Example 7.2: mcrypt JSON example

{
  "type": "mcrypt",
  "options": {
    "algorithm": "blowfish",
    "key": "mySecretKey"
  }
}


openssl

Please be sure to use only password or certFile.

Table 7.3. openssl options

NameValueRequiredDefaultDescription
passwordstringyes-Encrypt backup with 'openssl enc -pass...'.
certFilestringyes-Encrypt backup with 'openssl smime ... myCert.pem'.
algorithmstringyes- Algorithm to use to encrypt the backup. Attention you have to specify different algorithm names for using password and using a cert file.
keepUncryptedbooleannofalseDon't remove the uncrypted backup.
pathToOpenSSLstringno-Used to specify a special path to the openssl command.


Example 7.3: openssl XML example using password encryption

<!-- encryption -->
<crypt type="openssl">
  <option name="password" value="mySecretPassword"/>
  <option name="algorithm" value="aes-256-cbc"/>
</crypt>


Example 7.4: openssl JSON example using password encryption

{
  "type": "openssl",
  "options": {
    "password": "mySecretPassword",
    "algorithm": "aes-256-cbc"
  }
}


Example 7.5: openssl XML example using SSL cert encryption

<!-- encryption -->
<crypt type="openssl">
  <option name="certFile" value="ssl/MyCert.pem"/>
  <option name="algorithm" value="aes256"/>
</crypt>


Example 7.6: openssl JSON example using SSL cert encryption

{
  "type": "openssl",
  "options": {
    "certFile": "ssl/MyCert.pem",
    "algorithm": "aes256"
  }
}


Create a private key and a certificate pem file

To encrypt your backups with a cert file you have to create a private key and a certificate pem file.

$ openssl req -x509 -new -days 100000 -key private.pem -out certificate.pem

The created certificate.pem is used to encrypt your backups and should be referenced in your phpbu configuration as certFile. The private.pem file is used to decrypt your backups.

Decrypt

Decrypt a cert file encoded backup

$ openssl smime -decrypt -aes256 -inform DER \
  -in backup.tar.bz2.enc \
  -out backup.tar.bz2 \
  -inkey private.pem

Decrypt a password encoded backup

$ openssl enc -d -a -aes-256-cbc \
  -in backup.tar.bz2.enc \
  -out backup.tar.bz2 \
  -pass pass:mySecretPassword
Please open a ticket on GitHub to suggest improvements to this page. Thanks!