This is a post that will show the tools I use and the script I run to create four rotating encrypted backups to Amazon S3 with logging. With the original script you would receive the log email sent via cPanel's backup script. Now that log is written locally with additional logging and then sent. This script will also encrypt your backups using GPG before uploading. I am by no means an expert so if you use or run across something you think will work better then please let us know or even if you have an idea of how to improve the backup script please speak up! Requirements An Amazon web services account with S3 enabled. If you have an Amazon account already it gets tied to that. If not then you can always sign up for one. Apache compiled with Curl and Curlssl (openssl). This is done using Easyapache in WHM. NOTE: For some reason even though I had Curl and Curlssl compiled ssl access did not work on my server. I ended up having to remove Curl using Yum and then install it from source. Not sure what is going to happen when I go to recompile Apache again but I'm giving you a heads up is all. GnuGPG. This should be installed on your server already. If you upgrade it from source be sure to remove it using Yum and add it to the exclude list else you will have multiple versions. Tim Kay's AWS script. This is a script written in Perl (should also be already installed) to allow access to S3 using Curl. Here is the link for it on the Amazon developer's site too. Preparation 1) Log into your server via SSH and then go to the website given for the AWS script and follow the instructions to download it to your server. I put all such things into /home/tools to keep them all in one place. Install it using the given instructions. He states it will be installed to /usr/bin but the aws script stays where you downloaded it and that is what is actually used. Links are created in /usr/bin linking to it so do not move or delete it. If you do need to delete it simply delete the aws file and then unlink all the s3* and ecs* links in /usr/bin. 2) Edit the aws script to store your secret key file in the /home/tools folder rather than /root. "Pico aws" Search for .awssecret: "Ctrl+w" ".awssecret" then press enter Change "$home/.awssecret" to "/home/tools/.awssecret". Save the file and exit: "Ctrl+x" "y" and press enter. 3) Create a bucket for your backups to be stored in: "s3mkdir <bucketname>" I've seen that bucket names have to be original across all of S3 but this hasn't been the case for me as so far as I have seen as I have never been told I couldn't create a bucket. You do not have to create the weekn directories, they will be created when the script uploads to them automatically. The script and GPG key Attached to this post is a zip file containing the script, a .awssecret file, and a counterfile. Text after a # is comments which do not affect the code in anyway. A note on paths, if the script does not run or strange errors are logged then you may need to determine/fix the paths to those commands. You can do this in SSH by running "whereis <command>" and it should tell you the path to that command then simply modify the script with the correct path. 1) Download the zip file locally and extract the files. Modify the code in s3backup as needed using your own text editor: On line 16 replace <bucketname> with the name of the bucket you created. On line 17 replace <gpguser> with the name of your gpg key. If you want to backup your Apache config uncomment lines 42-57. On line 60 replace [email protected].com with your email address. Modify .awssecret with your access key and secret key. 2) Upload the files to /home/tools and also create /home/tools/logs. All files should be uploaded/owned by root. 3) Log in via SSH as root. 4) Make the file executable: chmod 700 /home/tools/backups. You should also make sure .awssecret can only be access by yourself just in case: chmod 700 /home/tools/.awssecret 7) Create a gpg key: "gpg --gen-key" Answer the questions entering your name and email address. For the keys I followed the defaults. Be sure to use a passphrase that is secure. If you have already created a GPG key then of course you may use that one. 8) Edit the crontab to run the file: "crontab -e" This is the schedule I use: 0 2 * * 0 /home/tools/backups This will run the file on Sundays at 2:00 AM. Modify as you like of course. Place it between these lines so as to avoid an email sent by cPanel's backup script saying it couldn't change the date/time. MAILTO="" 0 2 * * 0 /home/tools/s3backup MAILTO=root Save the file and exit: Control+x, y, enter Notes on GPG Files are encrypted using GPG which you should have installed on your server already. I upgraded to the latest version from source on my VPS and if you want to do that we can address it separately. What GPG will do is encrypt the file and change the name to end with .gpg to indicate that it is GPG encrypted. This command: "gpg -r <gpgname> -e <path/file>" will encrypt the file with your key. In order to restore files from your backups you will then need to decrypt them. To do this on your server simply type "gpg -r <gpgname> <path/filename>" and you will be prompted for the passphrase then it will decrypt and restore your file. To do this on Windows you will need to export your key from your server first. The command "gpg --export-secret-keys <gpgname> > <filename.gpg>". This will write your public and private keys to the file you specify in <filename.gpg> which you can then download to your local machine. Then there is a piece of software called GPG4Win. This software includes an Outlook plug in also but if you are using Outlook 2007 it will not work so tell the installer not to install it. After installation you will need to run GPA and import the keys you downloaded and then right click on the key to set the Owner Trust to ultimate. After that you can simply right click on an encrypted file and select GPGee | Verify/Decrypt and you will be prompted for your passphrase then your file will be decrypted and restored. Notes about cPanel backups These are backups created using cPanel's own script and so are complete backups including email, dns zone files, home directory, etc. They are a tar.gz which you can extract and restore a single file from or do a full domain restoration from. Additional files Using these commands: tar -Pczf /home/apache-conf.tar.gz /usr/local/apache/conf I tar and backup my Apache config which is run more frequently. If you want to do anything like this then you will need to modify this line to suit your paths otherwise delete or comment it and the lines clear to the ")" out. Notes on cron 1 2 3 4 5 1 = Minutes (0-59) 2 = Hour (0-23 0=midnight) 3 = Day of month (1-31) 4 = Month (1-12) 5 = Day of week (0-6 0=Sunday) And * is used to signify all. So * * * * * would execute every minute every hour etc. Notes on accessing S3 There are a number of utilities you can use to store and access your files in your S3 space. One I say is a must have is the Firefox addon S3Fox. I also use my S3 space to store files from other computers and to do this I have purchased a copy of JungleDisk which allows you to map your S3 drive to a drive letter like a network drive. JungleDisk stores files kind of strangely meaning that you can't have direct access with S3fox or anything but you can install it on as many computers as you want and even put it onto a USB memory stick so that's not that big a deal for me. I currently no longer use Jungledisk (12/16/13) but instead use Cloudberry Labs S3 Explorer. It does not assign a drive letter for your S3 buckets but is still straight forward. It's interface is just like an FTP client. You shouldn't need to purchase the full version unless you want the features it adds. Another very nice piece of software that I ran across when I could not delete a folder is Bucket Explorer which is a mature robust piece of software also. Thanks! Thanks to Josh, Khiltd, and KH-Paul for their input and direction on the original script this was derived from ------------------ Edit 3/23/10: Correct crontab commandline file name. Edit 4/8/10: Add variables to script for bucket name and gpg user. Edit 12/16/13: Add lines about uncommenting lines for Apache config backup and entering email address. Removed option for MySQL backups. Add comment about no longer using Jungledisk. Reattached zip file to post.