CodeBlog.TheG2.NET: Powershell, 7-Zip, Amazon S3 Upload Script with AES-256 Encryption

Friday, February 19, 2010

Powershell, 7-Zip, Amazon S3 Upload Script with AES-256 Encryption

I recently was tasked with finding a way to store some backup files from our server in a secure and reliable off-site location. After talking with our hosting provider, who wanted around $600 a month for off-site tape rotation, we decided to look at using Amazon Simple Storage Service (Amazon S3) to store the files in the cloud instead. We needed a way to automate the upload process and make sure that the data was encrypted, so I spent a few days working on a Powershell script (using the excellent PowerGui Script Editor) that uses 7-zip to create a .7z archive with AES-256 encryption and then send it up to Amazon S3 using the Amazon Web Services SDK for .NET. Here is the script:
#Description: Powershell 2.0 script to zip and encrypt a folder using 7zip and then send it to Amazon S3 #Author: Greg Bray (2/19/2010) #Website: http://codeblog.theg2.net/2010/02/powershell-7-zip-amazon-s3-upload.html #License: free for personal or commercial use under the Creative Commons Attribution 3.0 United States License. #Prerequisite: You must first install the latest version of 7Zip from http://www.7-zip.org/ (licensed under the GNU LGPL) #Prerequisite: You must also install the Amazon Web Services SDK for .NET from http://aws.amazon.com/sdkfornet/ (licensed under the Apache License, Version 2.0) #Recommended: I recommend using CloudBerry S3 Explorer for managing Amazon S3 files. http://cloudberrylab.com/default.aspx?page=cloudberry-explorer-amazon-s3 #Recommended: I recommend using http://PowerGui.org Script editor if you want to change or debug this script. #Usage: ps7ZiptoAmazonS3 'BackupFolderPath' 'S3ObjectKey' 'TranscriptLogFile' # BackupFolderPath = Folder to backup (do not include a trailing slash) # S3ObjectKey = Object key where to store file on Amazon S3. Note: If object already exists on S3 it will be overwritten. # TranscriptLogFile = Optional log file where the transcript will be appended. #NOTE: you also will need to set the Zip and Encrypt settings, Amazon S3 settings, and 7Zip/AWSSDK file paths below <#Example calling from another powershell script (with log file): & 'c:\Backups\ps7ZiptoAmazonS3.ps1' 'c:\Backups\DataFolder' 'S3Backups/DataFolder.7z' 'c:\Backups\BackupLog.txt' #> <#Example calling from Run or task Scheduler: NOTE: may need to run "Set-ExecutionPolicy RemoteSigned" in powershell to allow unsigned local scripts to execute powershell.exe -Command "& 'c:\Backups\ps7ZiptoAmazonS3.ps1' 'c:\Backups\DataFolder' 'S3Backups/DataFolder.7z' 'c:\Backups\BackupLog.txt'" #> #Check arguments and set variables if ($args.count -ge 2) { $FolderPath = $args[0] #Local folder to encrypt and send to S3 (No trailing slash) $S3ObjectKey = $args[1] #Destination on S3 where file will be stored. Note: If object exists it will be overwritten. if ($args.count -ge 3) { #start logging transcript Start-Transcript $args[2] -Append | Out-Null } } else { #Default preset arguments used if no values are provided $FolderPath = "c:\Backups\DataFolder" $S3ObjectKey = "S3Backups/DataFolder.7z" } write-host "`r`n`r`n" #Start log file with 2 blank lines $dtStart = [System.DateTime]::Now #Save start time to calculate total time below write-host ($dtStart.ToString() + " - Script started") #Zip and Encrypt settings $EncryptionKey = "secret_password" #Data is encrypted using Strong AES-256 encryption. Recommended password size is 10-16 characters. $TemporaryPath = "c:\Temp" #No trailing slash. Used to store zip file localy before uploading. File will be deleted after upload but not if there is an exception (see below). #Amazon S3 account settings (See http://aws-portal.amazon.com/gp/aws/developer/account/index.html?action=access-key): $S3AccessKeyID = "ABCDEFGHIJKLMNOPQRST" #Your Amazon S3 Access Ky ID $S3SecretKeyID = "0123456789abcdefghijklmnopqrstuvwzyz" #Your Amazon S3 Secret Access Key $S3BucketName = "S3BackupBucket" #S3 Bucket name where the file will be stored Write-Host ($dtStart.ToString() + " - FolderPath:'$FolderPath' S3BucketName:'$S3BucketName' S3ObjectKey:'$S3ObjectKey'") #Load AWS Assembly and Initialize 7Zip path (only runs once when debugging script) if($7ZipPath -eq $null){ $7ZipPath = "C:\Program Files\7-Zip\7z.exe" #Path to 7Zip $AWSDOTNETSDKPath = "C:\Program Files (x86)\AWS SDK for .NET\bin\AWSSDK.dll" #Path to Amazon SDK for x64 system. Remove " (x86)" when running on an x86 machine if (-not [System.IO.File]::Exists($AWSDOTNETSDKPath)) { #Try path for x86 system $AWSDOTNETSDKPath = $AWSDOTNETSDKPath.Replace(" (x86)","") if (-not [System.IO.File]::Exists($AWSDOTNETSDKPath)) { #File not found, throw exception write-error "ERROR: Cannot find Amazon Web Services SDK. Please download .NET SDK from http://aws.amazon.com/sdkfornet/ and update AWSDOTNETSDKPath in script." exit 2 } } #Load AWS Assembly [Reflection.Assembly]::LoadFile($AWSDOTNETSDKPath) | Out-Null } #Function for computing Amazon S3 MD5 digest (128 bit base64 encoded) using System.Security.Cryptography.MD5 function Hash-MD5 ($file) { $cryMD5 = [System.Security.Cryptography.MD5]::Create() $fStream = New-Object System.IO.StreamReader ($file) $bytHash = $cryMD5.ComputeHash($fStream.BaseStream) $fStream.Close() return [Convert]::ToBase64String($bytHash) } #Zip and Encrypt files Write-Host ([System.DateTime]::Now.ToString() + " - Zip and Encrypt Files") $FolderName = $FolderPath.Substring($FolderPath.LastIndexOf("\")+1) #grab the name of the backup folder $TimeStamp = [datetime]::Now.ToString("yyyy-MM-dd_HHmm") #Create unique timestamp string $strFile = [String]::Format("{0}\{1}_{2}.7z", $TemporaryPath,$FolderName,$TimeStamp) #Create filename for the zip #7z options: add, type 7z, Archive filename, Files to add (with wildcard. Change \* to \prefix* or \*.txt to limit files), compression level 9, password, encrypt filenames, Send output to host so it can be logged. #See http://dotnetperls.com/7-zip-examples or the 7zip help file for more info on command line switches. #NOTE: -mx7 and -mx9 get around 10 to 1 compression for text files and take round 5 minutes for 1GB of data. Use -mx3 or -mx5 to increase speed but decrease compression level. & $7ZipPath "a" "-t7z" "$strFile" "$FolderPath\*" "-mx9" "-r" "-p$EncryptionKey" "-mhe" | out-host #Call 7z.exe to create archive file if($LASTEXITCODE -ne 0){ #Detect errors from 7Zip. Note: 7z will crash sometimes if file already exists Write-Error "ERROR: 7Zip terminated with exit code $LASTEXITCODE. Script halted." exit $LASTEXITCODE } #Create Amazon PutObjectRequest. Details at http://docs.amazonwebservices.com/sdkfornet/latest/apidocs/html/T_Amazon_S3_Model_PutObjectRequest.htm Write-Host ([System.DateTime]::Now.ToString()) " - Creating S3 PutObjectRequest" $AmazonS3 = [Amazon.AWSClientFactory]::CreateAmazonS3Client($S3AccessKeyID, $S3SecretKeyID) $S3PutRequest = New-Object Amazon.S3.Model.PutObjectRequest $S3PutRequest.BucketName = $S3BucketName $S3PutRequest.Key = $S3ObjectKey $S3PutRequest.FilePath = $strFile Write-Host ([System.DateTime]::Now.ToString()) " - Compute File MD5 Digest" $strMD5 = Hash-MD5($strFile) #NOTE: may take 5-30 seconds to compute digest for 1GB file. $S3PutRequest.MD5Digest = $strMD5 #Use MD5 digest to ensure data is not corrupted during transport. $dFileSize = (Get-Item $strFile).Length / 1MB #Get archive size in MB Write-Host ([System.DateTime]::Now.ToString()) ([String]::Format(" - Uploading File:'{0}' Size:{1:#,###.#} MB", $strFile, $dFileSize)) $S3Response = $AmazonS3.PutObject($S3PutRequest) #NOTE: upload defaults to 20 minute timeout. #If upload fails it will throw an exception and $S3Response will be $null if($S3Response -eq $null){ Write-Error "ERROR: Amazon S3 put requrest failed. Script halted." exit 1 } Write-Host ([System.DateTime]::Now.ToString()) " - Delete Local 7z File:'$strFile'" Remove-Item $strFile -Force $dtEnd = [datetime]::Now $tsTotal = $dtEnd.Subtract($dtStart) Write-Host ($dtEnd.ToString()) " - Script finished. Total time: " $tsTotal write-host "`r`n`r`n" #End log file with 2 blank lines if ($args.count -ge 3) { #stop transcript Stop-Transcript }
It seems to work pretty well so far, taking about 5-10 minutes to zip and encrypt 1GB of SQL Backups down to 100MB and then upload it to Amazon S3. From there we can use tools like CloudBerry S3 Explorer to browse or download files when needed. The monthly costs to keep data on Amazon S3 is $0.150 per GB, with $0.10 per GB transfer in and $0.150 per GB transfer out. With a 1 week backup retention and minimal data-out transfers we expect to pay around around $10 to $20 a month and should be able to access it much quicker than if we were using off-site tape storage. Cloud computing FTW!
UPDATE 6/14/2010: I just posted the script used to create the Database backup folder.

16 comments:

Unknown said...: Thank you for posting a note on CloudBerry Explorer! I just want to add that CloudBerry Explorer comes with PowerShell command line interface that you can use instead of C# if you like. You can learn more about it here

Andy, CloudBerry Lab team.; February 20, 2010 at 11:50 AM
Greg Bray said...: Thanks for the comment. I did see that CloudBerry can be used with PowerShell, but the above script is going to be deployed on a production server that will not have CloudBerry installed, so the Amazon SDK seemed like a better fit. I plan on writing another script that can be used to download the data and test the restore process, and I may end up trying the CloudBerry Powershell cmdlets for that. I definitely find CloudBerry very useful for browsing S3, and you have done a very good job at adding a user interface to what is otherwise an API only process!; February 23, 2010 at 5:04 PM
Anonymous said...: sends it up but when i try to download it i get a message after typing password that the zip appears to be corrupts. the log looks clean. created same directory structure.

archive is unknown format or damaged.; February 26, 2010 at 6:00 PM
Greg Bray said...: Sorry about that... it looks like it was an issue with how Powershell handles command line arguments when calling 7zip. I tired to get it to accept passwords that had spaces in them, but I guess that didn't work. I reworked the call to 7zip on line 082 so it should now pass all of the parameters correctly. Just update that line and make sure that your password is all one word.; March 4, 2010 at 3:19 PM
Unknown said...: Thanks for this Greg, been looking at sorting my webserver backup solution out for ages and was stuck what do from here.

Signed up for AmazonS3 and got your script running now, I tweaked the timestamp to only use days so i get a 7 day overwrite (might do another with month/year to take out of the set.

Also another point to note when I first got to running your script on my webserver, I was getting "ERROR: 7Zip terminated with exit code 8".
After some commenting and hacking, I found if I changed the 7zip command line switch from -mx9 to -mx5 (ultra compression to normal) it worked.

I know the better the compression the less $$$ on the amazon spend, but i'll have to live with it until I can beef up the server...

thanks again for such a well considered and well written solution...; April 10, 2010 at 5:48 AM
Greg Bray said...: Looks like that exit code is "Not enough memory for operation", so reducing the compression level could make it work better in that case. Glad you could find it useful. We use the S3ObjectKey to set the retention period. If I get a chance I'll post the full script used for creating the local backup folder and setting the retention period.; April 12, 2010 at 11:02 PM
joe said...: I was looking for something like this -- thanks for posting it. I don't need encryption at the moment but it's nice to know I can add it when necessary...
Joe; April 23, 2010 at 1:14 PM
Anonymous said...: Hi Greg, Thank you for your post. I'm trying to upload files and sometimes for large file like 80MB or above, I get the following error message, I split your code into two files amazons3.ps1 calling into S3.ps1 (which does the uploaded with the args passed to it). Please help. I saw some posts telling to disable the keepalive but don't how to do it in ps1.

Exception calling "PutObject" with "1" argument(s): "The request was aborted: The request was canceled."
At D:\Ven\S3.ps1:73 char:34
+ $S3Response = $AmazonS3.PutObject <<<< ($S3PutRequest) #NOTE: upload defaults to 20 minute timeout.
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException

D:\Ven\S3.ps1 : ERROR: Amazon S3 put requrest failed for production-db-backup-Aug-1-2010.zip.
Script halted.
At D:\ven\amazons3.ps1:45 char:5
+ & <<<< 'D:\Ven\S3.ps1' $file $amazon_filename $S3BucketName
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,S3.ps1; August 1, 2010 at 8:20 PM
ITnetworkguru said...: Thanks so much for creating and putting this out for everyone to use!!! I am modifying this script for my own use and you have saved me hours of work! Wanted to share what I am doing and some problems I have run into. I have an SSL error when the script reaches the S3putrequest, I can't see where the URL is defined in order to know where it is trying to connect. Should the bucket name be the FQDN? Second item I am trying to figure out is how do I modify the script to upload to S3 a 7zip split archive? My archives are 30+ gigs and I need to split them up.; March 23, 2011 at 10:28 AM
Greg Bray said...: Thanks, glad you found it useful! The bucket name should just be the unique part like MyBucket or MyBackups. The Amazon library will then create the URL from that information (See link on line 88 for more info).

As for your other changes, you would need to setup the #Zip and Encrypt files section to create the multi-part file and then change lines 88-106 to upload more than one file. I don't think that the Amazon library has this built in, so you could put that code into a function and call it once for each file. Also you could look at using something like CloudBerry Explorer to upload the files instead (see first comment here from Andy01), as they implement more advance upload features that could make it a bit faster.; March 23, 2011 at 12:04 PM
Chris Andrews said...: I've found that you don't need to drastically change the script to allow large uploads - all you need to do is change the PutRequest Timeout value to a larger number than the default of 20 minutes (i.e. 1200000ms). To set the timeout to an hour, update PS7ziptoAmazonS3.ps1:

$S3PutRequest.Key = $S3ObjectKey
$S3PutRequest.Timeout = 3600000 #add this line - this is an hour
$S3PutRequest.FilePath = $strFile; October 6, 2011 at 2:02 PM
Robert N. said...: Nice post, also check out bulk S3 uploading via PowerShell:

http://sushihangover.blogspot.com/2012/03/powershell-bulk-uploading-to-new-s3.html

or using PowerShell for SSL public/private key encryption (also for retrieving your EC2 Windows Administrator's password):

http://sushihangover.blogspot.com/2012/04/powershell-rsa-private-key-based.html; April 4, 2012 at 8:56 PM
Anonymous said...: Anyone want to help me modify this to use multiple files?
Amazon s3 has a 5gb limit per file..
I am splitting backup into 4.5gb files and would like this script to run and upload 1 at a time..

Thanks; July 18, 2012 at 9:37 AM
kyleseidel said...: Holy crap... what an awesome script. Very well thought out. Thanks for sharing. It made my life easier. I needed to backup a OpenEdge Progress database and upload it to a remote server using SFTP (WinSCP).

Thanks again.
-Kyle; August 8, 2012 at 10:07 AM
Anonymous said...: Thanks for sharing this script, it is very helpful.

However, there is one critical flaw. The script assumes that if the S3 response to the PutObject is not equal to null, all is well.

That is not the case. In my scenario, I was uploading large files (2GB+), and the PutObject would timeout after a couple of minutes. The S3 response was not equal to null in this case; even though an exception had been thrown. I tested this by running "Write-Host (S3Response.ToString())", and it contained valid XML data.

The only way to reliably make sure your PutObject request succeeded, for the sake of later commands, is to wrap it in a try-catch block.

In my scenario, I was deleting the local file after the PutObject completed, so yes, I learned all of this the hard way.; January 15, 2013 at 8:32 AM
Çınar BAKAN said...: Anyone want to help me modify this to use multiple files?
Amazon s3 has a 5gb limit per file..
I am splitting backup into 4.5gb files and would like this script to run and upload 1 at a time..; August 23, 2013 at 7:15 AM