0

Knowledgebase

  Categories

10
Communicators
 11
CyberAudit Management Software
 544
CyberAuditWeb 9.8 Help
 15
CyberKey Smart Keys
 6
CyberLock
 6
Cyberlock Cylinders
 4
CyberPoint Checkpoints
 3
Door Controller & I/O Module
 2
FlashLock
 4
Flex System Input & Output Modules
 1
Glossary
 3
Security Center Video Phone

  Categories

  Tag Cloud

Access-a-CyberLock Adding People Adding_People assign-a-key Bluetooth Communicators CyberKey Cyberlink Flex Flex_System How-to How-to-setup-a-cyberkey key maintenance open-a-cyberlock Portable_Link Removing People Setup Update Cyberkey Update key Update-Cyberkey USB Using_the_People_List Validikey Web_Authorizer

  Support

  My Support Tickets   Announcements   Knowledgebase   Downloads   Network Status   Open Ticket

Encrypted Backups

Print
  • 0
..//assets/img/kb/database.png Encrypted Backups

CyberAudit-Web backs up databases in these three ways:

  • Daily backups (if enabled)
  • On demand
  • If the database will be patched as a result of an update to CyberAudit-Web, a database backup is created ahead of the patch.

By default, database backup files are not encrypted. For environments that require all data at rest to be encrypted, a CyberAudit-Web server offers a utility that can encrypt all database backups. It uses ChaCha20-Poly1305 and Ed25519 for the asymmetric crypto.

Enabling Encrypted Backups

Encrypted backups are enabled and disabled using a command line utility, videx-encrypted-backup. It is a server-wide setting. When enabled, databases for all accounts on the system will be encrypted. Open a command line on the server and enter

sudo videx-encrypted-backup -enable

Enter the sudo password for the system then follow the instructions presented.

This will enable encrypted database backups on this server.
Two cryptographic keys are used:
1. A public key to encrypt the backup files.
2. A private key to decrypt the files.
Only the private key can decrypt backup files. The public key cannot decrypt.
The private key must be kept secure and backed up. The public key does not
need to be backed up because it can be calculated from the private key.

How do you wish to proceed?
g. Generate a new secure-random key pair.
i. Import an existing private key.
Enter choice (g/i):

If you are restoring or rebuilding from another system, select (i) to import the private key from the original system. This would be useful if there are a number of backup files from that system to restore. Otherwise, enter (g) to generate a new key pair.

How do you wish to proceed?
g. Generate a new secure-random key pair.
i. Import an existing private key.
Enter choice (g/i): g

Generating random key pair...
Private Key:

CAW-PRIVATE-KEY-1H5HUTAP7L3MYYN2RXDUUG6ANJK6N0VQK2KL87VFF7D0GYQS92H6SE6FXUX02

Copy the above line of text and print it out and save it in an encrypted
password manager program.

CRITICAL! IF YOU LOSE the above decryption key all database backups will also
BE LOST!. It is highly recommended that multiple people in your organization
be given a copy of this decryption key to reduce risk of loss.

Do not proceed until you have saved at least two copies of the decryption key.
Type 'n' to abort and leave encrypted backups disabled.
Have you saved the decryption key? (y/n):

As the instructions say, it is critical to save the decription key in a safe place in order to restore the database backups onto another system. Without the key, the backups are useless.

Have you saved the decryption key? (y/n): y

For verification, enter the decryption key which you saved
Private Key:

videx-encrypted-backup then prompts to enter the private key to verify it. The private key always begins with 'CAW-PRIVATE-KEY'.

For verification, enter the decryption key which you saved
Private Key: CAW-PRIVATE-KEY-1H5HUTAP7L3MYYN2RXDUUG6ANJK6N0VQK2KL87VFF7D0GYQS92H6SE6FXUX02

Correct.
You can optionally save the decryption key to a file on this server. It
might be more convenient to view the contents of this file than opening your
password manager. The file will be readable only by root (sudo) but will not be encrypted.

Save decryption key to /root/backups.privatekey (y/n):

With the correct private key entered, videx-encrypted-backup then offers to save the private key to a file readable only by root (sudo). This would normally be recommended.

Save decryption key to /root/backups.privatekey (y/n): y

Wrote /root/backups.privatekey
Success. Encrypted backups are enabled.

videx-encrypted-backup writes the privatekey file and returns a success message.

Additional options for videx-encrypted-backup

videx-encrypted backup is also called from the daily backup cron and may be used with custom scripts if desired. Entering the -help parameter displays the options available.

~-> sudo videx-encrypted-backup -help
Usage of videx-encrypted-backup:
-backup
[database name] [output.cbe] backup specified database to encrypted file
-decrypt
[file.cbe] [output.sql] Decrypt a CAW backup file to stdout or file. Private key is read from stdin.
-disable
Disable encrypted database backups on this server
-enable
Enable encrypted database backups on this server
-get-pubkey-from-private-key
Print the public key which corresponds to given private key
-merge
Allows -restore into non-empty database. Tables not in the dump will remain unmodified.
-meta-data-b64 string
Meta-data text to write into the file header (base64)
-mysql-params string
Tab delimited user=X pass=X host=X globaldb=X
-progress
Print restore progress to stdout
-restore
[file.cbe] [database name] restore a MySQL database from encrypted file
-status
Check if encrypted backups are enabled or disabled
-verify-private-key
Prompt for private key and verify that it is correct for this server

Was this answer helpful?

Related Articles

Twilio Integration ... Twilio SMS ... Graphics and contact customization ... The CyberAuditWeb.properties file ... Server Logs ...
« Back