We back up our databases regularly. We store them on a secure network location so that if the database drive fails, we can still satisfy the requirements for a rapid disaster recovery time (RTO, or Recovery Time Objective).
Some of us store these backups off-site as well, as an added security measure, either on tape or using cloud storage solutions (Azure Blob Storage, Amazon S3).
And we encrypt these backups, right?
Right?
SQL Server 2016 has some very neat features for encrypting databases, tables, rows, backups, and even in-memory stuff.
But what if we are still slogging away on the ancient SQL Server 2008 or 2008 R2 Standard Edition, and we need to compress and encrypt our backups, using industry standard AES-256 encryption?
Enter 7-Zip. It is free, open-source, and governed by the LGPL licence.
The GUI (referred to as the 7-Zip File Manager) is installed by default. It looks something like this:
7-Zip File Manager GUI
Additionally, there is a command-line version (7za.exe), which has the same features as the 7-Zip GUI. You can get the command-line version by downloading the 7-Zip Extra package.
This command-line tool can be used for scripting in batch files or PowerShell scripts, which means we can automate a whole lot of things with our backups. There is both a 32-bit and a 64-bit version available.
7-Zip (a) [64] 15.14 : Copyright (c) 1999-2015 Igor Pavlov : 2015-12-31 Usage: 7za <command> [<switches>...] <archive_name> [<file_names>...] [<@listfiles...>]
[Tip: I highly recommend using the default 7z
archive format, instead of Zip
. It provides a significant disk savings over the Zip
format and requires about the same time to compress at the Normal compression level.]
The scenario
Let’s assume that we have a limited budget. We can afford SQL Server Standard Edition and 1TB of off-site storage, in the form of Azure Blob Storage, Dropbox, or Google Drive, to name just a few.
We can use 7-Zip on the command line to produce an encrypted file, even if we don’t want to compress it (7-Zip can create what I call “container” files, which are simply an encryption wrapper around the file) and push that to our Dropbox sync folder.
Remember that SQL Server 2008 R2 and higher allows us to compress backups in Standard Edition. It makes very little sense to compress an already-compressed backup.
Command-line switches
I use this page as a reference for 7-Zip command line examples. Of particular interest is -mx0
, (which will store, but not compress, the source file), and -pSECRET
(which allows the use of a password, where SECRET is the password).
Putting the pieces together
Step 1: Back up our databases (with compression if available)
Step 2: Copy the files to a secure network location
Step 3: Use 7-Zip to encrypt (and maybe compress) these files
Step 4: Copy the encrypted files to off-site storage
There are myriad tools to perform these steps, and there’s no single correct way to do it, though I prefer PowerShell for a number of reasons. It’s modern, it is still updated, and it can interact with a number of Windows features in a consistent way, which means we can automate a lot of our everyday tasks.
For example, if we stay on the Microsoft stack with Azure, we can use PowerShell to iterate through the backup directory, encrypting each backup file, then copy it to Azure using a tool like AzCopy, or even my Azure Blob Storage Sync tool.
Summary
We don’t need the latest and greatest (and expensive) tools to implement best practices. Using 7-Zip, Dropbox and PowerShell, we can easily ensure that our databases are secure in more ways than one.