Encrypt backup with PGP/GPG public key
To securely store GitLab backups, we would like to encrypt them after creation, and decrypt them before restoring.
This can already be done manually, but it would be useful if GitLab did so automatically as part of the backup and restore rake tasks.
Specifically, we want to support asymmetric encryption using GPG, for reasons summarized in this answer on Serverfault.
That means that when creating a backup, we want to be able to provide a GPG public key, and when restoring from a backup, we want to be able to provide a corresponding GPG private key, with GitLab automatically handling the encryption and decryption for us.
GPG keys are often identified by fingerprint, but since this requires the key to already be loaded in the keychain, it will be easier to require a full path to a key file to be provided. In the first iteration, key paths can be provided as rake task arguments or environment variables.
We can use the ruby-gpgme
library, which is already bundled with GitLab, as well as Gitlab::Gpg
to make things easier for ourselves.
In a potential future iteration, we could add support for things like:
- specifying the encryption key in the configuration file instead of as a rake task argument
- encryption using multiple GPG keys (to allow decryption by different people)
- identifying a GPG key by fingerprint or public key server URL
- symmetric (password) encryption
Original issue description
The main idea is to create encrypted backup. That will avoid some problem with the security of backup storage and allow to store the backup in insecure (less secure) place.
Proposal
In /etc/gitlab/gitlab.rb
file add entry:
-
gitlab_rails['backup_encryption_mode']
with 3 values -
false
: disable encryption -
pgp-gpg
: encryption with PGP/GPG public key -
password
: encryption with static password (symmetric encryption like AES-256-OCB or ChaCha20 ) -
gitlab_rails['backup_encryption_key']
with - A password if the selected mode is
password
- A PGP/GPG fingerprint if the selected mode is
pgp-gpg
-
false
if user want to use a file (following option) gitlab_rails['backup_encryption_path']
- A path to a password file if the selected mode is
password
- A path to a PGP/GPG public key if the selected mode is
pgp-gpg
- An
http
link on a public key server if the selected mode ispgp-gpg
-
false
if user want to use the option above
After the standard process done by gitlab-rake gitlab:backup:create
encrypt the tar
archive with the selected encryption mode.
For PGP/GPG the public key can be:
- Downloaded from a public server key (http link)
- Loaded from a file (path)
- Already loaded (fingerprint)
Documentation blurb
If you need to store your backup in insecure place, you should encrypt you backup. To make a secure backup, follow the standard way to creating a backup and add the follow the steps behind.
With password
- Go to
/etc/gitlab/gitlab.rb
- Set
gitlab_rails['backup_encryption_mode'] = 'password'
- Depending of the way you want for storing your password:
- Set
gitlab_rails['backup_encryption_key'] = 'YourPassWord'
- Set
gitlab_rails['backup_encryption_path'] = '/path/to/your/password/file'
- Run
sudo gitlab-ctl reconfigure
- Run
gitlab-rake gitlab:backup:create
With PGP/GPG
- Go to
/etc/gitlab/gitlab.rb
- Set
gitlab_rails['backup_encryption_mode'] = 'pgp-gpg'
- Depending of the way you want to give your public key
- Set
gitlab_rails['backup_encryption_key'] = '0x123456789abcdefg'
(This key must be already loaded in the pgp agent) - Set
gitlab_rails['backup_encryption_path'] = '/path/to/your/public/key/file'
- Set
gitlab_rails['backup_encryption_path'] = 'http://myPublicKeyServer.com/0x123456789abcdefg'
- Run
sudo gitlab-ctl reconfigure
- Run
gitlab-rake gitlab:backup:create