How to make automated encrypted backups using gpg / pgp that are delivered to you email regularly (tutorial)
-
This is a short tutorial to show you how you can make your own automated secure backups.
We will use gpg for it, so you do not need to expose some password on pfsense.
In the end you will get the config.xml in encrypted form regularly to your email accout. In case of a desaster you can use it to restore pfsense.-
in PFSense go to -> System -> Advanced -> Notification
and fill out the eMail part and make sure you can send eMails from here -
in PFSense go to -> System -> Advanced -> Admin Access and enable: Secure Shell Server
-
SSH into your Server and choose: 8) Shell
-
Install gpg2
For installing packages follow:
https://docs.netgate.com/pfsense/en/latest/packages/installing-freebsd-packages.html
the links are a little outdated, for PFSense 2.4 you can find the packages here:
http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/
Unfortunately you will have to look up all dependencies yourself, here is my aid
what to install to get gpg2 to work. But maybe when you try that, there are new
versions, so use the link above to find the lastest ones but follow the order of the packages.
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libtasn1-4.13_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/p11-kit-0.23.15.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/tpm-emulator-0.7.4_2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/trousers-0.3.14_2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/gnutls-3.6.6_2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libgpg-error-1.35.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libassuan-2.5.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libgcrypt-1.8.4_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libksba-1.3.5_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/npth-1.6.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/pinentry-tty-1.1.0.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/pinentry-1.1.0_3.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/gnupg-2.2.13.txzIf all goes well now gpg2 is installed. Your import your gpg public key.
-
a) Create a file called key.asc and copy your public key inside
b) gpg2 --import key.asc
c) gpg2 --edit-key 'email_adress_of_gpg_key'
(replace XXXXXXXXXXXXXXXXXXXX with the email address of the gpg-key, it is shown when you import it)
in the gpg> command write:
trust
then choose 5 = I trust ultimately
then accept with y
then write: quit
Now your public key is imported and trusted ultimately so you can use it in pipes. -
Check if gpg2 works, run
/usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml
Now your encrypted pgp message should be printed to the terminal -
If it works - send it as an email:
/usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml | /usr/local/bin/mail.php -s"PFSense-Backup"
Check if you got the email -
In PFSense install the cron package:
--> System --> Package manager -> available package -> cron -
Setup a cron task to send you your encrypted config.xml
--> Services --> Cron
Choose how often to send, i used "0 12 1 * *" which sends it at noon on every 1st day of the month
as who use root
the command is:
/usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml | /usr/local/bin/mail.php -s"PFSense-Backup" -
If you ever need to use your backup: decrypt the config.xml and follow:
https://docs.netgate.com/pfsense/en/latest/backup/automatically-restore-during-install.html
Good luck
-