How to make automated encrypted backups using gpg / pgp that are delivered to you email regularly (tutorial)

pbengert

This is a short tutorial to show you how you can make your own automated secure backups.
We will use gpg for it, so you do not need to expose some password on pfsense.
In the end you will get the config.xml in encrypted form regularly to your email accout. In case of a desaster you can use it to restore pfsense.

1. in PFSense go to -> System -> Advanced -> Notification
   and fill out the eMail part and make sure you can send eMails from here

2. in PFSense go to -> System -> Advanced -> Admin Access and enable: Secure Shell Server

3. SSH into your Server and choose: 8) Shell

4. Install gpg2
   For installing packages follow:
   https://docs.netgate.com/pfsense/en/latest/packages/installing-freebsd-packages.html
   the links are a little outdated, for PFSense 2.4 you can find the packages here:
   http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/
   Unfortunately you will have to look up all dependencies yourself, here is my aid
   what to install to get gpg2 to work. But maybe when you try that, there are new
   versions, so use the link above to find the lastest ones but follow the order of the packages.

pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libtasn1-4.13_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/p11-kit-0.23.15.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/tpm-emulator-0.7.4_2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/trousers-0.3.14_2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/gnutls-3.6.6_2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libgpg-error-1.35.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libassuan-2.5.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libgcrypt-1.8.4_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libksba-1.3.5_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/npth-1.6.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/pinentry-tty-1.1.0.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/pinentry-1.1.0_3.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/gnupg-2.2.13.txz

If all goes well now gpg2 is installed. Your import your gpg public key.

5. a) Create a file called key.asc and copy your public key inside
   b) gpg2 --import key.asc
   c) gpg2 --edit-key 'email_adress_of_gpg_key'
   (replace XXXXXXXXXXXXXXXXXXXX with the email address of the gpg-key, it is shown when you import it)
   in the gpg> command write:
   trust
   then choose 5 = I trust ultimately
   then accept with y
   then write: quit
   Now your public key is imported and trusted ultimately so you can use it in pipes.

6. Check if gpg2 works, run
   /usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml
   Now your encrypted pgp message should be printed to the terminal

7. If it works - send it as an email:
   /usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml | /usr/local/bin/mail.php -s"PFSense-Backup"
   Check if you got the email

8. In PFSense install the cron package:
   --> System --> Package manager -> available package -> cron

9. Setup a cron task to send you your encrypted config.xml
   --> Services --> Cron
   Choose how often to send, i used "0 12 1 * *" which sends it at noon on every 1st day of the month
   as who use root
   the command is:
   /usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml | /usr/local/bin/mail.php -s"PFSense-Backup"

10. If you ever need to use your backup: decrypt the config.xml and follow:
    https://docs.netgate.com/pfsense/en/latest/backup/automatically-restore-during-install.html

Good luck