Currently, we can perform and encrypt a Windows backup with ntbackup and GPG in 2 separate steps in a batch script, as below:
ntbackup backup "@selection_file.bks" /f "backup_file.bak"
gpg --recipient "recipient" --encrypt "backup_file.bak" --output "encrypted_file" --yes --batch
I'm wondering if there's any way to combine these steps to output the backup directly to GPG, without creating an intermediate, unencrypted backup file?
To clarify, I'm looking for something like standard input redirection or piping
prog.exe | prog2.exe
that works with GPG at the command line. Thanks for your time.
I don't think you'll be able to do that. But as an alternative you could probably backup to a mounted truecrypt volume.
OK, here's why this isn't going to work.
What you're attempting to do is convince ntbackup to stream backup data to standard out instead of to a file. The problem is that ntbackup is not written to be able to do this. ntbackup must be given the filename to output the data to, and unfortunately in Windows, there is no equivalent to /dev/stdin or /dev/stdout.
In order for this to work, you would need to convince ntbackup to print the raw backup data to the screen. There is no documentation that I am aware of (or have found through searching) that even hints that this is remotely possible. It just wasn't written to do this. Sorry.
Up for some programming? :) You can use a named pipe (aka fifo) to do this, but as far as I can tell, there's no batch-file ready interface.
You could probably use a FIFO file to act as the pipe. Though I'm not exactly sure how you'd create one of these on windows. But that's generally what they're used for, where you can't use STDOUT to pipe to.
Performing a standard ntbackup and then using gpg does create an intermediate, unencrypted file. However, if you turn on EFS, you can put the backup file in an encrypted folder so that an attacker can't recover plaintext of the .bkf file. That's probably going to be the easiest way to accomplish what you're asking for without completely switching toolsets.
You can't do it with gpg but you can with openssl and mysys:
Here's the manpage, you can even specify a password on the command line if you really need to. This will only work with symmetric encryption.
As Matt_Simmons so lucidly explained, ntbackup won't do output to stdout, so trying to use it is doomed.
gpg, however, will do the right thing if you use (unix convention) '-' as the file to input.
So now you need a way to gather files that includes 'the ability to easily select and exclude individual files', which tar totally fits the bill for (see the -T and -X flags). Modern versions will even do compression as well, via -z (gzip) and -j (bzip) flags.
And of course you can tie them together with a pipe:
The 7-Zip command line documention mentions -si and -so switches to read from stdin and write to stdout.
It doesn't mention piping, but if you can write to stdout, I don't see why gpg wouldn't be able to read it in.
I don't believe that ntbackup supports any sort of encryption natively.