====== Barman ======

===== Barman encryption =====

==== Generate pgp keys for the encryption ====

<code>
# create 32 char password for pgp
date +%s | sha256sum | base64 | head -c 32 ;echo

#
# 1 save the output in /etc/barman.d/secret 
# 2 make sure that permissions for the secret is root.barman-owner and 440
# 3 and use it for input in the next step and i in the barman server.conf
#
# create pgp entry

gpg --full-generate-key

# When asked: give a name like: barman and the password from previous command


</code>

In the /etc/barman.d/server.conf insert

<code>
backup_compression_format = tar
backup_compression = gzip
encryption = gpg 
encryption_key_id = barman <-- the name you gave previous
encryption_passphrase_command = "cat /etc/barman.d/secret"
</code>

**Done**

You will have to re-initiate the backup, ie (be careful and not just c&p, but think, you can loose the existing backup):

<code>
sudo barman cron
sudo -u barman  barman receive-wal --create-slot SERVER-NAME
sudo -u barman  barman switch-xlog SERVER-NAME
sudo -u barman  barman backup SERVER-NAME

</code>
If create-slot fails, you will have to --drop-slot or drop the slot from the database.


You can check if the encryption is on:

<code>
sudo -u barman  barman check SERVER-NAME | grep encryption
 
# This should do it
# 
# but you can also see it:
# and in your barman-backup-dir/SERVER-NAME/base/BACKUP-SET/ will have a basebackup ending on .gpg
# and in your barman-backup-dir/SERVER-NAME/wals/WAL-SET/ the wal file will respond to
# file wal-file 
# wal-file: PGP RSA encrypted session key - keyid: 43F52AD6 99DF306B RSA (Encrypt or Sign) 3072b

</code>

===== Warnings =====


If you - like us - have a monitor system that counts the numbers of "OK" from the output

<code>
sudo -u barman  barman check SERVER-NAME
</code>

It will fail because there are now 23 OK's (hopefully) and not the 22 OK's :-)