Encryption Approach for Database Backups

A common need we have run into is regular backup of the OpenMRS database, which is done by the database backup module

Due to the Personally Identifiable information (PII) in the backup, one enhancement that is desperately needed is the encryption of the backup zip file and ability to decrypt it on the machine to which the backup was done, and possibly at a central location - ministry headquarters if necessary. Since alot of our sites are not connected to the Internet and the backups may need to be copied onto external drives and moved to remote backup locations.

I am interesting in hearing what approaches have been considered for this challenge to drive additional feature development for the database backup module

Much as you can work on the module to generate an encrypted dump, i would assume you can protect the dump with disk encryption or even using a hard drive that is password protected as short term options

A key issue you’re going to run into is how to do the shared passwords, such that they reliably get everywhere they need to be, without compromising security.

If you only cared about the central backup, you could do public key encryption, i.e. you widely disseminate the ministry HQ’s public key (which is safe to publish), and have each site encrypt its backups with that public key (such that they can only be decrypted at the ministry HQ).

However if you want to have reliable scheduled local backups, then the password needs to live on the backup server. But in your threat model I don’t think the backup server is secure, so this defeats the point.

I guess I would recommend physical security + encrypted hard disk at the facility, and public key encryption before you copy the backup to an external drive to transport to the offsite backup location.