add backup password protection to Backup Manager Backups (NO..it doesn't have it at the mo)
This may also be a security issue.
Currently there are no special protection of user content in the backup. Plesk protects only its sensitive data, web content archived without any encryption.
If some gains ADMIN access to a wordpress/drupal/other web applications install parts of the Plesk container file system, cron jobs, etc will be compromised and would undoubtably increase exponentially the chances of the system to be exploited with virus, rootkits, malware “indirectly” affecting Plesk. (as an analogy no point to build a metal wall if the door is still glass)
So, in other words ... if a wordpress installation is compromised the installations of malicious (or not) plugins can lead to the installations of rootkit, malware and virus at the container. I cannot see for a second how this would be good for any Virtuozzo container running Plesk and how you could consider Plesk not being affect if for instance the container is used to conduct a DDOS to a random host.
Initial Thread
http://forum.odin.com/threads/plesk-12-x-x-backup-manager-encryption-security-issue.334691/#post-786917
Hello,
Thanks for your input, we understand the importance. This Feature request is registered in our tracking system as PPM-344 and it will be included into future Plesk versions. There is no ETA at the moment, but we would really appreciate you voting for this request so that we can accurately assess its popularity relative to other features. Thanks in advance!
-
Plesk Tech Support commented
I am unable to find an option to fully encrypt the contents of our remote storage backups,
It has been picked up in a data privacy impact assessment that the backups must be encrypted when stored offsite. It would be nice to have a Plesk feature that would allow full backup encryption. -
JohnBee commented
This is just another BS move by Plesk to push 'what should be included' toward their famous paid feature scheme!
Whatever the case, there are more competing webhosting panels in effect today than ever, based solely on such nonsense.
- as always, nature takes its course
-
Anonymous commented
No encrypted backups in 2021. Really? Any updates from Plesk team?
-
Timo Largan commented
"Thanks for your input, we understand the importance. "
2 years later: plesk backups still being stored and transfered to remote storages like amazon or google unencrypted. Plus misleading "encryption" function in GUI. -
Nuneja Biznes commented
I am just baffled that backups are still unencrypted.
Backups contain files from Laravel, Slim, Drupal, Wordpress, Joomla, ... that store database credentials, SMTP credentials, keys, database dumps that may contain sensitive information, ... and other sensitive data without any form of encryption.Plesk leaves system administrators and users without any proper options to encrypt backups.
In addition, the wording of the current 'backup encryption' feature is super misleading! I bet many people think their backups are fully encrypted.As to the Plesk staff, this feature has nothing to do with popularity.
Not implementing this feature immediately is plain negligence. -
Anonymous commented
Most of us do not have access to /var/*, gpg, curl or ftp-pasv...
This is a problem Plesk needs to fix ASAP. -
Anonymous commented
Script/command to encrypt and transfer all local Plesk backups to your FTP storage (linux):
tar -zc /var/lib/psa/dumps/ | gpg -c --passphrase <encryption phrase> --batch --yes --cipher-algo AES256 | curl --ftp-pasv --ssl -k -u <username:password> -T - "ftp://<your ip and path>/backup_$(date +%F).tgz.gpg"
-
Anonymous commented
This is no feature whose popularity needs to be assessed. I know, the GDPR is not very popular... but we have to abide by it. Using the current "password protection" will render the user liable to prosecution since there is no protection at all. In my opinion calling it "password protection" even is a fraudulent representation.
-
Anonymous commented
It's soon 2020 and still everything would get uploaded in clear text to Google Drive and others. That is insane!!
This is no feature whose popularity needs to be assessed. I know, the GDPR is not very popular... but we have to abide by it. Using the current "password protection" will render the user liable to prosecution since there is no protection at all. In my opinion calling it "password protection" even is a fraudulent representation.Also it could be as simple as that (using gpg):
Encrypt:
tar -czf - [FOLDERS] | gpg -c --batch --passphrase [PASSWORD] -o backup.tgz.gpgDecrypt:
gpg -d --batch --passphrase [PASSWORD] backup.tgz.gpg | tar -xzf -I'd change it myself if I had access to the source...
-
Anonymous commented
There is no option to encrypt backups. I do not trust Google or any other cloud service. Yet I could use the (otherwise completely useless) storage to put my backups there.
So please include a proper and secure encryption. Thanks!
Edit:
It could be as easy as running gpg as a last step before uploading:Encrypting (simple tar example):
tar -czf - [FOLDERS] | gpg -c --batch --passphrase [PASSWORD] -o backup.tgz.gpgDecrypting:
gpg -d --batch --passphrase [PASSWORD] backup.tgz.gpg | tar -xzf - -
Sam commented
This is a security hole, it should get top priority instead of sitting in the backlog for years.
-
dreamer22 commented
please, implement asap. If I understand this issue correctly, this renders any effort to be GDPR complaint useless, because DB files are not completely encrypted and only passwords are being encrypted.
-
Peale11 commented
When that option will apear in plesk? Thant is very important for security reasons.
-
jibs commented
Very much looking forward to this feature.
For the time being I think it would be good to update the misleading 'Backup security settings' wording, which imply that the entire backup is being password protected. Which is not correct.
This is what it currently reads:
For security reasons, we recommend that you protect data contained in backups. By default, all backups are encrypted with the Plesk's internal encryption key, which is unique for each Plesk installation. Note that the backups encrypted with such a key can be restored only in the Plesk installation where they were created, and cannot be restored in another Plesk installation. Therefore, we recommend using a password for protecting backup files. -
Anonymous commented
+1
-
dreamer22 commented
+1. A backup without an encryption is weird. Not only passwords should be protected but also archive content. Very much needed
-
Atmikes commented
2018 -> plesk sends unecrypted data over a non-secure protocol -> this must be a joke?
FTPS has too many issues, encrypting Zip's is easy so please do it, the sooner the better...
-
Alex commented
It is a yoke. How it is possible that data is not encrypted?! It is very serous issue. When it will be done?
-
Romeo S commented
+1 for password encrypted zip files. This is definitely a must-have, especially considering GDPR-regulations.
-
Anonymous commented
According to the new GDPR this data needs to be encrypted/protected! If you have an offsite backup, this data shouldn't be allowed to be accessed without protection. This has to be added asap!