Most secure method for retrieving SQL backups
Looking for advice on this matter, and I didn't know any other forum category that would be better than this one.
I'm looking for a good way for my web site client to regularly retrieve his own MySQL backups. My plan is to set a cron job to dump the contents of his database into a SQL text file, and set another job to either send him the SQL file or give him a link to retrieve it.
But what is a secure way of doing that? Certainly I'm aware that the SQL file should not be stored within the web root directory. But whether it is mailed as an attachment or sent over HTTP after the client has authenticated with a password, neither of these transfer methods is secure. It will simply be plain text transmitted over the Internet. Short of SSL, is there anything to be done?
It does occur to me that, since this particular site does not use SSL, any information in its database is being transmitted unsecure over HTTP at one time or another. So perhaps it's no more worrisome to transmit the SQL file? I'm looking for anyone's thoughts on the matter.
If you wish to provide some sense of security without SSL, you could write an encrypted ZIP/GZIP file to provide to your client via a "server-side authenticated file-serving" script. You'll have to determine the best method of doing this for your particular server, of course (OS, web server, scripting languages, etc.). On a *nix system with the zip command you can supply a password to encrypt the file with on the command line using the -P option, (though it is recommended to encrypt interactively using the -e option).
Bear in mind, this doesn't come anywhere near the security of just using SSL (which is pretty cheap for a basic cert). But, it offers a bit of security without having to find, author, or purchase any special encryption/decryption software.
I will look into this. Thanks!
I have been able to successfully use zip to compress the file, and the -e flag to encrypt it interactively. However, when I tried to use the -P flag you mentioned, it was not recognized. Can you give me an example of how to use password protection in the command, rather than interactively? (I know it's less secure, but right now I'm just trying to put this in an .sh file I can run as a cron job, and I'll worry about improving it later.)
Sure--this may vary based on OS though. On CentOS, the following command will place test.file into a ZIP archive protected with password default:
You'll probably want to check the manpage for details on the version of ZIP that ships with your particular OS.
zip -P default test.zip test.file
That works great. Thanks!
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)