A tool for performing scheduled database backups and transferring encrypted data to secure public clouds, for home labs, hobby projects, etc., in environments such as k8s, docker, vms.
Backups are in age
format using age, with strong encryption under the hood. Why age? it's modern replacement for GnuPG, available for most architectures and systems.
This project is more or less well tested cron-like runtime with predefined supported providers and backup targets (see below) with sensible defaults for backup commands. It has rich integration tests using providers container replacements: fake gcs, azurite, minio. Goal was to make 100% sure it will work in the wild.
There is no compression before age encryption step whatsoever. This is intentional, prepare for large backups size (compared to ogion 6.0 where 7zip was used, some backups that were 300MB now are 2.2GB). There are known exploits when mixing compression with encryption, and for small systems compression this just seems unnecessary. See:
- CRIME
- BREACH
- Known plaintext attack
- A Known Plaintext Attack on the PKZIP
- TLSv1.3 removes compression
There are better tools for big corporate databases and systems:
- pgBackRest - Reliable PostgreSQL Backup & Restore
- postgres operator for k8s based on pgBackRest from crunchydata
- PostgreSQL (all currently supported versions)
- MariaDB (all currently supported versions)
- MySQL (all currently supported versions)
- Single file
- Directory
- Google Cloud Storage bucket
- S3 storage compatibile bucket (AWS, Minio)
- Azure Blob Storage
- Debug (local)
- Discord
- Email (SMTP)
- Slack
Using docker image: rafsaf/ogion:latest
, see all tags on dockerhub
- docker (docker compose) container
- kubernetes deployment
- linux/amd64
- linux/arm64
Everyday 5am backup of PostgreSQL database defined in the same file and running in docker container.
# docker-compose.yml
services:
db:
image: postgres:17
environment:
- POSTGRES_PASSWORD=pwd
ogion:
image: rafsaf/ogion:latest
environment:
- POSTGRESQL_DB_README=host=db password=pwd cron_rule=0 0 5 * * port=5432
- AGE_RECIPIENTS=age1q5g88krfjgty48thtctz22h5ja85grufdm0jly3wll6pr9f30qsszmxzm2
- BACKUP_PROVIDER=name=debug
(NOTE this will use provider debug that store backups locally in the container).
The author actively uses ogion (with GCS) for one production project plemiona-planer.pl postgres database (both PRD and STG) and for bunch of homelab projects including self hosted Firefly III mariadb, Grafana postgres, KeyCloak postgres, Nextcloud postgres and configuration file, Minecraft server files, and two other postgres dbs for some demo projects.
See how it looks for ~2GB size database: