Backup Encryption - GPG Encryption process

Submitted by code_admin on Tue, 07/17/2018 - 17:38

GPG Notes

I generated my key pair on catness

Generate key pair

  1. gpg --gen-key

I used RSA and RSA
4096 bytes
My google details
0 expiry
It took ages to generate


  1. gpg --list-keys

Export my public key

  1. gpg --armor --export > /home/robert/otherGit/Personal_Infrastructure/rmetcalf9.publickey

(I put it in the root of my personal infrastructure repo.)

Import public key

For my website I transfer the public key file via ansible (global machine setup) and use the following command:

  1. gpg --import ~/rmetcalf9.publickey

Need to add trust to the key to stop encrypt process prompting:

Trust the key (type trust)

Decrypt file

  1. gpg --output ${OUTPUT_FILE} --decrypt ${INPUT_FILE}

Back up my key goes in my catness documents dir backup still needs pass phrase

  1. gpg --export-secret-key -a "" > rmetcalf9.privatekey

I also keep it in other locations

OLD OpenSSL Backup process is below (was node 285 on code2

I use public keys for my backup using a method similar to the one found here ""

I have a public key and private key stored in my static backup directory.

The public key is needed to create a backup.
The private key is needed to restore a backup.

For a backup file xxx.tar.gz:

Generate a random passphrase and put it into a file key.txt
Encrypt the backup tar with the random pass prase. xxx.tar.gz.enc
Encrypt the key.txt with my public key from rjm_static_secret folder xxx.tar.gz.key
Upload xxx.tar.gz.dat and xxx.tar.gz.key to online and offline backup locations


  1. openssl rand 128 -out ${ENCDIR}/key.txt
  2. openssl enc -aes-256-cbc -pass file:${ENCDIR}/key.txt < ${ENCDIR}/catness_encrtpyed.tar.gz > ${CATNESS_BACKUP_DIR}/${NEWNUM}_catness_encrtpyed.tar.gz.enc
  3. openssl rsautl -encrypt -pubin -inkey ${PUBKEYFILE} < ${ENCDIR}/key.txt > ${CATNESS_BACKUP_DIR}/${NEWNUM}_catness_encrtpyed.tar.gz.key

To Restore xxx.tar.gz

Download xxx.tar.gz.dat and xxx.tar.gz.key to online and offline backup locations
Get access to private key in rjm_static_secret folder
decrypt xxx.tar.gz.key to give me key.txt
decrypt xxx.tar.gz.dat to give me data


  1. DOWNLOADED_ENCKEY=/home/robert/Documents/backups/catness/0002_catness_encrtpyed.tar.gz.key
  2. DOWNLOADED_ENCFILE=/home/robert/Documents/backups/catness/0002_catness_encrtpyed.tar.gz.enc
  3. STATIC_SECRET_DIR=/home/robert/Documents/backups/rjm_static_secret
  4. OUTPUT_FILE=/home/robert/Documents/backups/unencrypted.tar.gz
  6. openssl rsautl -decrypt -inkey ${STATIC_SECRET_DIR}/key.pem < ${DOWNLOADED_ENCKEY} > ${DOWNLOADED_ENCKEY}.notencrypted
  7. openssl enc -aes-256-cbc -d -pass file:${DOWNLOADED_ENCKEY}.notencrypted < ${DOWNLOADED_ENCFILE} > ${OUTPUT_FILE}
  8. rm ${DOWNLOADED_ENCKEY}.notencrypted

Generating rjm_static_secret folder

Created the folder in catness encrypted location first
launched bash and went into the directory.
Generated keys:

  1. openssl genrsa -out key.pem 4096
  2. openssl rsa -in key.pem -out key-public.pem -outform PEM -pubout

Finally I needed to create an encrypted version of this directory I can safely put on family PC's:
(run from parent directory)

  1. tar -cvpzf rjm_satic_secret.tar.gz rjm_static_secret
  2. openssl enc -aes-256-cbc -pass file:<( echo -n "PPP" ) < rjm_satic_secret.tar.gz > rjm_satic_secret.tar.gz.enc
  3. rm rjm_satic_secret.tar.gz

Change PPP to real password

The public key can go to any location where I must make backups.

Retrieving unencrtpyed rjm_static_secret folder

Get the encrypted one. In the same directory as it run the following:

  1. openssl enc -aes-256-cbc -d -pass file:<( echo -n "PPP" ) < rjm_satic_secret.tar.gz.enc > rjm_satic_secret.tar.gz
  2. tar -xvzf rjm_satic_secret.tar.gz
  3. rm rjm_satic_secret.tar.gz

openssl rand 32 -out key.txt

RJM Article Type
Work Notes