# create 32 char password for pgp
date +%s | sha256sum | base64 | head -c 32 ;echo

#
# 1 save the output in /etc/barman.d/secret 
# 2 make sure that permissions for the secret is root.barman-owner and 440
# 3 and use it for input in the next step and i in the barman server.conf
#
# create pgp entry

gpg --full-generate-key

# When asked: give a name like: barman and the password from previous command

In the /etc/barman.d/server.conf insert

backup_compression_format = tar
backup_compression = gzip
encryption = gpg 
encryption_key_id = barman <-- the name you gave previous
encryption_passphrase_command = "cat /etc/barman.d/secret"

Done

You will have to re-initiate the backup, ie (be careful and not just c&p, but think):

sudo barman cron
sudo -u barman  barman receive-wal --create-slot SERVER-NAME
sudo -u barman  barman switch-xlog SERVER-NAME
sudo -u barman  barman backup SERVER-NAME

If create-slot fails, you will have to –drop-slot or drop the slot from the database.

You can check if the encryption is on:

sudo -u barman  barman check SERVER-NAME | grep encryption
 
# This should do it
# 
# but you can also see it:
# and in your barman-backup-dir/SERVER-NAME/base/BACKUP-SET/ will have a basebackup ending on .gpg
# and in your barman-backup-dir/SERVER-NAME/wals/WAL-SET/ the wal file will respond to
# file wal-file 
# wal-file: PGP RSA encrypted session key - keyid: 43F52AD6 99DF306B RSA (Encrypt or Sign) 3072b

If you - like us - have a monitor system that counts the numbers of “OK” from the output

sudo -u barman  barman check SERVER-NAME

It will fail because there are now 23 OK's (hopefully) and not the 22 OK's