add backup password protection to Backup Manager Backups (NO..it doesn't have it at the mo)
This may also be a security issue.
Currently there are no special protection of user content in the backup. Plesk protects only its sensitive data, web content archived without any encryption.
If some gains ADMIN access to a wordpress/drupal/other web applications install parts of the Plesk container file system, cron jobs, etc will be compromised and would undoubtably increase exponentially the chances of the system to be exploited with virus, rootkits, malware “indirectly” affecting Plesk. (as an analogy no point to build a metal wall if the door is still glass)
So, in other words ... if a wordpress installation is compromised the installations of malicious (or not) plugins can lead to the installations of rootkit, malware and virus at the container. I cannot see for a second how this would be good for any Virtuozzo container running Plesk and how you could consider Plesk not being affect if for instance the container is used to conduct a DDOS to a random host.
Thanks for your input, we understand the importance. This Feature request is registered in our tracking system as PPM-344 and it will be included into future Plesk versions. There is no ETA at the moment, but we would really appreciate you voting for this request so that we can accurately assess its popularity relative to other features. Thanks in advance!
Timo Largan commented
"Thanks for your input, we understand the importance. "
2 years later: plesk backups still being stored and transfered to remote storages like amazon or google unencrypted. Plus misleading "encryption" function in GUI.
Nuneja Biznes commented
I am just baffled that backups are still unencrypted.
Backups contain files from Laravel, Slim, Drupal, Wordpress, Joomla, ... that store database credentials, SMTP credentials, keys, database dumps that may contain sensitive information, ... and other sensitive data without any form of encryption.
Plesk leaves system administrators and users without any proper options to encrypt backups.
In addition, the wording of the current 'backup encryption' feature is super misleading! I bet many people think their backups are fully encrypted.
As to the Plesk staff, this feature has nothing to do with popularity.
Not implementing this feature immediately is plain negligence.
Most of us do not have access to /var/*, gpg, curl or ftp-pasv...
This is a problem Plesk needs to fix ASAP.
Script/command to encrypt and transfer all local Plesk backups to your FTP storage (linux):
tar -zc /var/lib/psa/dumps/ | gpg -c --passphrase <encryption phrase> --batch --yes --cipher-algo AES256 | curl --ftp-pasv --ssl -k -u <username:password> -T - "ftp://<your ip and path>/backup_$(date +%F).tgz.gpg"
It's soon 2020 and still everything would get uploaded in clear text to Google Drive and others. That is insane!!
This is no feature whose popularity needs to be assessed. I know, the GDPR is not very popular... but we have to abide by it. Using the current "password protection" will render the user liable to prosecution since there is no protection at all. In my opinion calling it "password protection" even is a fraudulent representation.
Also it could be as simple as that (using gpg):
tar -czf - [FOLDERS] | gpg -c --batch --passphrase [PASSWORD] -o backup.tgz.gpg
gpg -d --batch --passphrase [PASSWORD] backup.tgz.gpg | tar -xzf -
I'd change it myself if I had access to the source...
This is a security hole, it should get top priority instead of sitting in the backlog for years.
please, implement asap. If I understand this issue correctly, this renders any effort to be GDPR complaint useless, because DB files are not completely encrypted and only passwords are being encrypted.
When that option will apear in plesk? Thant is very important for security reasons.
Very much looking forward to this feature.
For the time being I think it would be good to update the misleading 'Backup security settings' wording, which imply that the entire backup is being password protected. Which is not correct.
This is what it currently reads:
For security reasons, we recommend that you protect data contained in backups. By default, all backups are encrypted with the Plesk's internal encryption key, which is unique for each Plesk installation. Note that the backups encrypted with such a key can be restored only in the Plesk installation where they were created, and cannot be restored in another Plesk installation. Therefore, we recommend using a password for protecting backup files.
+1. A backup without an encryption is weird. Not only passwords should be protected but also archive content. Very much needed
2018 -> plesk sends unecrypted data over a non-secure protocol -> this must be a joke?
FTPS has too many issues, encrypting Zip's is easy so please do it, the sooner the better...
It is a yoke. How it is possible that data is not encrypted?! It is very serous issue. When it will be done?
Romeo S commented
+1 for password encrypted zip files. This is definitely a must-have, especially considering GDPR-regulations.
According to the new GDPR this data needs to be encrypted/protected! If you have an offsite backup, this data shouldn't be allowed to be accessed without protection. This has to be added asap!
I cannot believe this is still not available in 2018... That is a shame!
2 years later, plesk 17 and this is still an issue. please allow encryption of the whole backup data.
If you do not want to add password protection feature of end-user sensitive data (database, web files, web configurations), we think it will help to provide better descriptive label of that feature than "Use password protection" on Plesk Control Panel. Because most people would think that it will protect all their web files, database, but not just plesk control panel's password.
+1 for the entire ZIP backup file contents to be password protected!