Create encrypted tar backups and store them on the amazon S3 cloud

 Amazon S3 provides unlimited storage at low prices, which makes it an ideal solution for storing backups. But to make use of it, you need a piece of software that can actually interact with Amazon S3: create buckets, list the contents of a bucket, upload and download files, etc. And aws, a simple command-line utility written in Perl, is the perfect tool for the job.

Before you proceed, you should install the curl utility. On Ubuntu, you can do this using the sudo apt-get install curl command. Next, grab the latest version of the aws script:

curl -o aws

Make it then executable and copy it to the /usr/bin directory:

chmod +x aws
sudo cp ~/aws /usr/bin/

Create then an .awssecret file and open it in a text editor like nano:

nano .awssecret

Enter your Amazon AWS credentials (the Access Key ID and the Secret Access Key) as follows:


Save the file and change its permissions:

chmod 600 .awssecret

aws is now ready to go. To create a bucket for your backup use the aws mkdir command (replacing BUCKET with the actual name):

aws mkdir BUCKET

Next, create an encrypted tarball of the directory you want to back up using the tar tool:

tar -zcf - todays_backup|openssl enc -aes-256-cbc -salt -pass pass:yourpassword -out todays_backup.tgz.aes-256-cbc

Finally, upload the created archive to the created bucket:

aws put BUCKET/dir.tar.gz /path/to/todays_backup.tgz.aes-256-cbc

The best part is that you don't have to do this manually every time you want to back up a certain directory. Here is a sample script that backs up photos stored on the local hard disk:

tar -zcf – todays_backup|openssl enc -aes-256-cbc -salt -pass pass:yourpassword -out todays_backup.tgz.aes-256-cbc
aws put BUCKET/todays_backup.tgz.aes-256-cbc /path/to/todays_backup.tgz.aes-256-cbc

Replace yourpassword with a password of your own. Keep the password to yourself, and keep it carefully. The above command will generate a file called todays_backup.tgz.aes-256-cbc. This file can only be decompressed using this password.

Of course, you have to make sure that you can actually retrieve and decrypt your backup files. Test if this works, preferably with a small file:

Retrieve the file from S3:

aws get BUCKET/todays_backup.tgz.aes-256-cbc 

To extract your protected archive file use the following command:

# openssl enc -d -aes-256-cbc -in todays_backup.tgz.aes-256-cbc -out todays_backup.tgz



  • blog/create_encrypted_tar_files.txt
  • Last modified: 2010/05/26 10:31
  • by brb