Encrypt backup with PGP/GPG public key

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

To securely store GitLab backups, we would like to encrypt them after creation, and decrypt them before restoring.

This can already be done manually, but it would be useful if GitLab did so automatically as part of the backup and restore rake tasks.

Specifically, we want to support asymmetric encryption using GPG, for reasons summarized in this answer on Serverfault.

That means that when creating a backup, we want to be able to provide a GPG public key, and when restoring from a backup, we want to be able to provide a corresponding GPG private key, with GitLab automatically handling the encryption and decryption for us.

GPG keys are often identified by fingerprint, but since this requires the key to already be loaded in the keychain, it will be easier to require a full path to a key file to be provided. In the first iteration, key paths can be provided as rake task arguments or environment variables.

We can use the ruby-gpgme library, which is already bundled with GitLab, as well as Gitlab::Gpg to make things easier for ourselves.

In a potential future iteration, we could add support for things like:

  • specifying the encryption key in the configuration file instead of as a rake task argument
  • encryption using multiple GPG keys (to allow decryption by different people)
  • identifying a GPG key by fingerprint or public key server URL
  • symmetric (password) encryption

Original issue description

The main idea is to create encrypted backup. That will avoid some problem with the security of backup storage and allow to store the backup in insecure (less secure) place.

Proposal

In /etc/gitlab/gitlab.rb file add entry:

  • gitlab_rails['backup_encryption_mode'] with 3 values
  • false: disable encryption
  • pgp-gpg: encryption with PGP/GPG public key
  • password: encryption with static password (symmetric encryption like AES-256-OCB or ChaCha20 )
  • gitlab_rails['backup_encryption_key'] with
  • A password if the selected mode is password
  • A PGP/GPG fingerprint if the selected mode is pgp-gpg
  • false if user want to use a file (following option)
  • gitlab_rails['backup_encryption_path']
  • A path to a password file if the selected mode is password
  • A path to a PGP/GPG public key if the selected mode is pgp-gpg
  • An http link on a public key server if the selected mode is pgp-gpg
  • false if user want to use the option above

After the standard process done by gitlab-rake gitlab:backup:create encrypt the tar archive with the selected encryption mode.

For PGP/GPG the public key can be:

  • Downloaded from a public server key (http link)
  • Loaded from a file (path)
  • Already loaded (fingerprint)

Documentation blurb

If you need to store your backup in insecure place, you should encrypt you backup. To make a secure backup, follow the standard way to creating a backup and add the follow the steps behind.

With password

  1. Go to /etc/gitlab/gitlab.rb
  2. Set gitlab_rails['backup_encryption_mode'] = 'password'
  3. Depending of the way you want for storing your password:
  • Set gitlab_rails['backup_encryption_key'] = 'YourPassWord'
  • Set gitlab_rails['backup_encryption_path'] = '/path/to/your/password/file'
  1. Run sudo gitlab-ctl reconfigure
  2. Run gitlab-rake gitlab:backup:create

With PGP/GPG

  1. Go to /etc/gitlab/gitlab.rb
  2. Set gitlab_rails['backup_encryption_mode'] = 'pgp-gpg'
  3. Depending of the way you want to give your public key
  • Set gitlab_rails['backup_encryption_key'] = '0x123456789abcdefg' (This key must be already loaded in the pgp agent)
  • Set gitlab_rails['backup_encryption_path'] = '/path/to/your/public/key/file'
  • Set gitlab_rails['backup_encryption_path'] = 'http://myPublicKeyServer.com/0x123456789abcdefg'
  1. Run sudo gitlab-ctl reconfigure
  2. Run gitlab-rake gitlab:backup:create
Edited by 🤖 GitLab Bot 🤖