ISPmanager Lite Documentation

Encryption of backup copies

Starting from version 5.81 it is possible to encrypt backups in ISPmanager (Lite and Business). Encryption is based on OpenSSL library.

Purpose

You can use encryption to protect backup data from unapproved access. It's very important for remote storages like Dropbox, Amazon S3, and FTP, SFTP.

Files

Backup files with F, I, C prefix, can be encrypted. Encrypted files have the aes extension, for example, F2016-10-18.usr2#.tgz.aes. Backup files, which contain backup listing and begin from a date, for example, 2016-10-18.usr2#.tgz.aes, can also be encrypted.

Information files, which have the Info extension, for example, 2016-10-18.usr2#.info, are not encrypted. The key_hash parameter is stored in info files, this parameter contains the password hash.

info files located in the /usr/local/mgr5/var/backup/ispmgr local directory, and files with backup listing are not unencrypted.

Encryption algorithm

The AES-256 algorithm from the OpenSSL library is used for backup encryption. Backup password, which is stored in the info file, is encrypted with the SHA-256 algorithm.

How to enable and disable encryption

To enable encryption, you should open "Backup" form --> the "Main" tab --> enter a password into the "Backup password" field, and click "Ok".

To disable encryption, you should clean the "Backup password" field, and click "Ok".

Encryption and differential backups

Encryption influences the creation of differential copies.

If the current day is not Sunday, and you have a full backup copy, after enabling encryption, the system will create a full copy rather than a differential one

If encryption was enabled in the full copy, and thereafter the password was changed, in this way the full copy will be created.

If you used encryption and then disabled it, the full copy will be created.

Password recovery after password reset

If a backup copy was created with the password and the password was reset, during recovery and backup download, the password form will be displayed. If the password was entered incorrectly, you will see the corresponding error message.

If the administrator selects several users who have different passwords, the system will offer to recover users separately and enter the password for each backup copy.

User storage

Encryption can be enabled for user storage. Log in as a user and follow the instructions which are described in "Encryption enabling and disabling".

The main storage cannot be used for user storage.

Encrypted archive import

You can import an encrypted archive from the Admin level in the User import form. In the Source type field choose local archive or directory*and enter the path to the directory with the full encrypted archive, which contains the listing file, the *info file, and data files. Enter the password to the encrypted archive.

The password won't be changed when you import the encrypted archive.

Examples of commands for encrypting and decrypting an archive


Encrypting
openssl enc -e -pass pass:<password> -aes-256-cbc -in /path/to/file.part -out /path/to/file.aes.part
Decrypting
openssl enc -md md5 -d -pass pass:<password> -aes-256-cbc -in /path/to/file.aes.part -out /path/to/file.part
 Comments to the command

<password> — password to backup copy

/path/to/file.part — path to backup copy

/path/to/file.aes.part — path to aes files