Creating encrypted backups of Laravel apps

Last updated 3 years ago by Simon Kollross


Backup security is important, especially if you're processing sensitive data. Nobody except you should be able to read your application's backups and you should be confident that you don't loose any data in case of trouble.

You should always encrypt backups of your apps and securely transfer them to one or multiple backup destinations. If you encrypt the backups on your server and transfer only the encrypted version, your backups are stored encrypted at rest in your backup destination. Not even your backup storage provider is able to read them.

I recommend you to choose another storage provider for backups than the infrastructure provider of your production systems. If there are problems with your provider for whatever reason, you're still able to access your backups to recover as fast as possible.

Introducing spatie/laravel-backup

Spatie's laravel-backup package is the perfect starting point for implementing a backup strategy for your app. It creates a snapshot of your database and your app's files and puts them into a ZIP file, which is transferred to specified backup locations. The package is fully configurable, just customize its settings to your needs and make use of Laravel's scheduler to create backups regularly. You can read more about how to setup Spatie's package in the docs.

Encrypt your backups using AES-256

There is one thing the backup package is missing: Encryption. Since the package is firing various events where we can listen to, adding encryption is really easy. The event we're interested in is BackupZipWasCreated. It is fired as soon as the ZIP file containing the database dumps and files has been created and before it is copied over to the backup destinations. As a result of this, it's the perfect place to perform last minute operations such as encryption on the backup file.

If you're dealing with sensitive files, you should use a secure cipher to encrypt your backup, such as AES-256. Luckily, PHP 7.2 has native support for encryption built into ZipArchive.

Let's create a listener for the BackupZipWasCreated event that encrypts the backup, called EncryptBackupZip.

Read full Article