Support

Akeeba Backup for Joomla!

#32225 Feature Request: Wetransfer and email for backup storage

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by on Thursday, 06 February 2020 17:17 CST

JurgenG
WeTransfer offers an API to programmatically send files through a link (or mail them).
It would be nice to have the option to have a(n encrypted) backup to be sent to a mailbox over WeTransfer.
It could save space on local server, possibly even reduce risk of a backup being downloaded illigitimately and offers an easy way to have a local backup copy.

nicholas
Akeeba Staff
Manager
WeTransfer is neither a practical nor secure way for storing backup archives. In fact it's far from being practical or secure!

A backup archive can consist of multiple files (parts). Each file would need to be transferred separately. This creates a few problems when considering WeTransfer or any other file transfer (not storage!) service.

The most important problem is that a backup archive may consist of several files (parts), each one of which needs to be uploaded separately. Moreover, each file needs to be deleted as soon as it's uploaded for your use case to make any sense. In fact, the only way your use case would make sense is if using WeTransfer forced "Upload each part immediately" to be always enabled.

This means that as the backup progresses we create an archive part, we upload it to WeTransfer, we get a URL and we store it temporarily. If uploading to WeTransfer fails midway through the backup – for several reasons we've seen that I could fill a sizable book with – these files are lost forever. This violates the Akeeba Backup rule of making it possible for the users to always be able to manually retrieve their backup archive parts, even if these files are in disparate places.

The next problem is that while you propose this as a secure solution, I'm afraid it's not for two reasons.

First, it's just an upload to an Amazon S3 bucket. Worse, it's an upload to someone else's Amazon S3 bucket. It's not under your control.

Second, you are sending a pre-authenticated URL over unencrypted email. Anyone intercepting the email can download this file and you are none the wiser.

If you are really concerned about storage space and security you should be using Upload to Amazon S3. Create a private bucket. Create a new Amazon IAM user with write-only privileges to the bucket. Set up Akeeba Backup's Upload to Amazon S3 with the credentials of this limited user. Set Upload each part immediately to Yes and set a small backup part size (you will need up to 2.5 times that much disk space during backup). Your backups are in a private bucket that only you can access. Your site does not have the ability to download these files so even if it's compromised the files won't be downloaded (they can be erased, though). You can download the files to your local computer using a GUI tool such as CloudBerry Explorer or a CLI tool such as s3cmd. Either way, you can use temporary credentials, generated through Amazon IAM, so if you suspect they're compromised you can kill them immediately. Nothing is sent by email, nothing visible to an attacker can be used to compromise your site. Even if an attacker knows the bucket name and object name (file path) in the bucket they can do nothing since they don't have your keys. This is the most space efficient and secure solution, not WeTransfer or any file transfer service.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!