• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to make automated encrypted backups using gpg / pgp that are delivered to you email regularly (tutorial)

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
1 Posts 1 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pbengert
    last edited by Mar 5, 2019, 10:47 AM

    This is a short tutorial to show you how you can make your own automated secure backups.
    We will use gpg for it, so you do not need to expose some password on pfsense.
    In the end you will get the config.xml in encrypted form regularly to your email accout. In case of a desaster you can use it to restore pfsense.

    1. in PFSense go to -> System -> Advanced -> Notification
      and fill out the eMail part and make sure you can send eMails from here

    2. in PFSense go to -> System -> Advanced -> Admin Access and enable: Secure Shell Server

    3. SSH into your Server and choose: 8) Shell

    4. Install gpg2
      For installing packages follow:
      https://docs.netgate.com/pfsense/en/latest/packages/installing-freebsd-packages.html
      the links are a little outdated, for PFSense 2.4 you can find the packages here:
      http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/
      Unfortunately you will have to look up all dependencies yourself, here is my aid
      what to install to get gpg2 to work. But maybe when you try that, there are new
      versions, so use the link above to find the lastest ones but follow the order of the packages.

    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libtasn1-4.13_1.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/p11-kit-0.23.15.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/tpm-emulator-0.7.4_2.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/trousers-0.3.14_2.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/gnutls-3.6.6_2.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libgpg-error-1.35.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libassuan-2.5.2.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libgcrypt-1.8.4_1.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libksba-1.3.5_1.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/npth-1.6.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/pinentry-tty-1.1.0.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/pinentry-1.1.0_3.txz
    pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/gnupg-2.2.13.txz

    If all goes well now gpg2 is installed. Your import your gpg public key.

    1. a) Create a file called key.asc and copy your public key inside
      b) gpg2 --import key.asc
      c) gpg2 --edit-key 'email_adress_of_gpg_key'
      (replace XXXXXXXXXXXXXXXXXXXX with the email address of the gpg-key, it is shown when you import it)
      in the gpg> command write:
      trust
      then choose 5 = I trust ultimately
      then accept with y
      then write: quit
      Now your public key is imported and trusted ultimately so you can use it in pipes.

    2. Check if gpg2 works, run
      /usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml
      Now your encrypted pgp message should be printed to the terminal

    3. If it works - send it as an email:
      /usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml | /usr/local/bin/mail.php -s"PFSense-Backup"
      Check if you got the email

    4. In PFSense install the cron package:
      --> System --> Package manager -> available package -> cron

    5. Setup a cron task to send you your encrypted config.xml
      --> Services --> Cron
      Choose how often to send, i used "0 12 1 * *" which sends it at noon on every 1st day of the month
      as who use root
      the command is:
      /usr/local/bin/gpg2 --encrypt --armor -r email_adress_of_gpg_key --output - /cf/conf/config.xml | /usr/local/bin/mail.php -s"PFSense-Backup"

    6. If you ever need to use your backup: decrypt the config.xml and follow:
      https://docs.netgate.com/pfsense/en/latest/backup/automatically-restore-during-install.html

    Good luck

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received