What's the best practice for taking MySQL dump, encrypting it and then pushing to s3?

mysql amazon-ec2 encryption amazon-s3
5,718

first you can create a 'user' in mysql that has read-only permissions for the database in question, that would reduce potential destructive damage, were an attacker to gain access to your backup script.

then you could use gpg or pgp encryption on your backup before or after you compress it, and you can do that without needing to provide a password, using your public key.

and of course, you should chmod 700 backupscript.sh to prevent anyone from reading your password.

there may be other ways to do passwordless database snapshots, but i'm not aware of any off the top of my head.

gpg or pgp seems like a superior alternative to the openssl method you've mentioned, because it can be done without a password.

#!/bin/sh
touch db.backup.sql.gz
chmod 600 db.backup.sql.gz
mysqldump -u nonprivuser --password="pass" --all-databases --single-transaction | gzip > db.backup.sql.gz
gpg -e -r [email protected] db.backup.sql.gz && rm -f db.backup.sql.gz
s3put backup/db.backup.sql.gz.gpg db.backup.sql.gz.gpg
Share:
5,718

Related videos on Youtube

J. LaRosee
Author by

J. LaRosee

Updated on September 17, 2022

Comments

  • J. LaRosee
    J. LaRosee almost 2 years

    This current project requires that the DB be dumped, encrypted and pushed to s3. I'm wondering what might be some "best practices" for such a task. As of now I'm using a pretty straight ahead method but would like to have some better ideas where security is concerned. Here is the start of my script:

    mysqldump -u root --password="lepass" --all-databases --single-transaction > db.backup.sql
tar -c db.backup.sql | openssl des3 -salt --passphrase foopass > db.backup.tarfile
s3put backup/db.backup.tarfile db.backup.tarfile
# Let's pull it down again and untar it for kicks
s3get surgeryflow-backup/db/db.backup.tarfile db.backup.tarfile
cat db.backup.tarfile | openssl des3 -d -salt --passphrase foopass |tar -xvj

    Obviously the problem is that this script everything an attacker would need to raise hell.

    Any thoughts, critiques and suggestions for this task will be appreciated.

  • DevGambit
    DevGambit about 14 years
    added a short example script for you
  • Shivam Bajpai
    Shivam Bajpai about 9 years
    Good to go I think.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I encrypt this password with MD5 using PHP?
How to encrypt mysql password in php (or how to defeat automated code scanner red flag)
AWS CLI commands on JENKINS
Amazon RDS unable to execute SET GLOBAL command
Shell script to Upload files from AWS EC2 to S3
AWS S3 File Upload: S3Client Class Not Found
Whats the best gui tool for mysql on mac os lion
S3 AWS download Speed
Unknown Options when Using aws s3 mv
Can't start mysqld after installing MySQL 5.6 in EC2 running Redhat 6.5