BeepBackup BETA
Getting StartedSecurity

How To Import Encryption Keys

How We Encrypt Your Backups

BeepBackup uses GPG (GNU Privacy Guard) encryption to secure your backups:

  1. You provide a public key: Upload your GPG public key to BeepBackup
  2. Data is encrypted locally: Before sending to S3, all backup data is encrypted using your public key
  3. Encrypted data goes to S3: Only encrypted data is stored in your S3 bucket
  4. You control decryption: Only you have the private key needed to decrypt your backups

Key Benefits

  • Zero-knowledge encryption: BeepBackup cannot read your encrypted backups
  • Your keys, your control: You manage your own encryption keys
  • Storage provider agnostic: Your S3 provider cannot access your data
  • Industry-standard encryption: Uses GPG with strong cryptographic algorithms

Setting Up Encryption

Step 1: Generate a GPG Key Pair

If you don’t already have a GPG key pair, generate one:

# Generate a new GPG key pair
gpg --full-generate-key

# Choose options:
# - Key type: RSA and RSA (default)
# - Key size: 4096 bits
# - Expiration: Choose based on your security policy
# - Name and email: Use identifiable information

Step 2: Export Your Public Key

# List your keys to find the key ID
gpg --list-keys

# Export your public key
gpg --armor --export YOUR_KEY_ID > beepbackup-public-key.asc

Step 3: Upload to BeepBackup

  1. In your BeepBackup dashboard, go to Settings > Encryption
  2. Click Upload Public Key
  3. Paste your public key or upload the .asc file
  4. BeepBackup will validate the key and show key details

Step 4: Enable Encryption for Backups

When creating or editing a backup job:

  1. Go to the Security section
  2. Toggle Enable Encryption
  3. Select your uploaded public key
  4. Save the backup configuration

Decrypting Your Backups

When you need to restore encrypted backups:

Download from S3

First, download your encrypted backup files from S3:

# Using AWS CLI
aws s3 cp s3://your-bucket/path/to/backup.tar.gz.gpg ./

# Or use your S3 provider's tools

Decrypt the Files

# Decrypt a single file
gpg --decrypt backup.tar.gz.gpg > backup.tar.gz

# Decrypt and extract in one command
gpg --decrypt backup.tar.gz.gpg | tar -xzf -

# For database backups
gpg --decrypt database-backup.sql.gpg > database-backup.sql

Restore Your Data

Once decrypted, restore your data as needed:

# Extract file backups
tar -xzf backup.tar.gz

# Restore database backup
mysql -u username -p database_name < database-backup.sql

Key Management Best Practices

Secure Key Storage

  • Use a password manager: Store your GPG passphrase securely
  • Backup your private key: Store copies in multiple secure locations
  • Use hardware security modules: For high-security environments
  • Key escrow: Consider secure key escrow for business continuity

Key Rotation

Regularly rotate your encryption keys:

  1. Generate a new key pair: Create new keys before the current ones expire
  2. Update BeepBackup: Upload the new public key
  3. Update backup jobs: Configure backups to use the new key
  4. Maintain old keys: Keep old private keys to decrypt historical backups

Access Control

  • Limit key access: Only authorized personnel should have access to private keys
  • Use subkeys: Consider using GPG subkeys for different purposes
  • Audit key usage: Monitor who has access to encryption keys

Encryption Performance

Encryption adds minimal overhead to your backups:

  • CPU usage: Modern CPUs handle GPG encryption efficiently
  • Compression first: Data is compressed before encryption for optimal size
  • Streaming encryption: Large files are encrypted in chunks to minimize memory usage

Performance Tips

  1. Choose appropriate key sizes: 2048-bit keys offer good security with better performance than 4096-bit
  2. Use compression: Enable compression to reduce the amount of data to encrypt
  3. Monitor system resources: Ensure adequate CPU and memory for encryption

Compliance and Standards

BeepBackup’s encryption implementation helps meet various compliance requirements:

Standards Supported

  • GDPR: Right to be forgotten (delete encrypted backups)
  • HIPAA: PHI protection through encryption
  • SOX: Financial data protection
  • PCI DSS: Credit card data security

Encryption Algorithms

BeepBackup supports these GPG algorithms:

  • Symmetric: AES-256, AES-192, AES-128
  • Asymmetric: RSA, DSA, ECDSA, EdDSA
  • Hash: SHA-256, SHA-512, SHA-1

Troubleshooting Encryption

Common Issues

”Invalid Public Key” Error

# Verify your public key format
gpg --show-keys beepbackup-public-key.asc

# Ensure the key is properly armored
gpg --armor --export YOUR_KEY_ID > corrected-key.asc

”Cannot Decrypt” Error

# Verify you have the correct private key
gpg --list-secret-keys

# Check if the key has expired
gpg --list-keys --with-subkey-fingerprints

# Import private key if needed
gpg --import private-key.asc

Performance Issues

  • Check system resources: Monitor CPU and memory usage during encryption
  • Optimize key size: Consider using 2048-bit keys instead of 4096-bit
  • Enable compression: Reduce data size before encryption

Getting Help

If you encounter encryption issues:

  1. Check the troubleshooting guide: Review common solutions
  2. Contact support: Provide key fingerprints (never share private keys)
  3. Community forum: Ask questions in our user community

Encryption vs. No Encryption

When to Use Encryption

Use encryption when:

  • Backing up sensitive personal data
  • Storing financial or medical records
  • Compliance requirements mandate encryption
  • You don’t fully trust your S3 provider
  • Your data contains trade secrets or intellectual property

When Encryption Might Not Be Necessary

Consider skipping encryption for:

  • Public or open-source code repositories
  • Already encrypted data (databases with TDE, encrypted file systems)
  • Non-sensitive configuration files
  • Data that’s already publicly available

Remember: It’s always better to err on the side of caution and use encryption when in doubt.

Need help with this topic?

If you're having trouble with this documentation or need additional assistance, we're here to help.

Contact Support Back to Documentation