Linux / UNIX: Encrypt Backup Tape Using Tar & OpenSSL

 

How do I make sure only authorized person access my backups stored on the tape drives (DAT, DLT, LTO-4 etc) under Linux or UNIX operating systems? How do I backup /array22/vol4/home/ to /dev/rmt/5mn or /dev/st0 in encrypted mode?


You can easily encrypt data to tape using combination of tar and openssl commands. The following is software based solution based upon encryption algorithms supported by openssl tool. Encrypted backup should be used when storing sensitive data on removable media or when storing backups on shared NAS / SAN servers or online backup servers. When using encryption the openssl ask for a password before you can create, view, open, or restore the files included in the backup. This is based upon pipes concept.

Backup Data

The following shows an example of writing the contents of "tapetest" to tape:

tar zcvf - /array22/vol4/home | openssl des3 -salt | dd of=/dev/st0

An encryption password would be entered by the administrator or backup operator i.e. the above will encrypt a tape using triple DES in CBC mode using a prompted password. You can put password in script itself:

tar zcvf - /array22/vol4/home | openssl des3 -salt  -k "Your-Password-Here" | dd of=/dev/st0

Reading (listing) Files

Type the command as follows:

dd if=/dev/st0 | openssl des3 -d -salt | tar ztvf -

OR

dd if=/dev/st0 | openssl des3 -d -salt -k "Your-Password-Here" | tar ztvf -

Restore The Data

Use the following command to read and restore data back:

dd if=/dev/st0 | openssl des3 -d -salt | tar xzf -

OR

dd if=/dev/st0 | openssl des3 -d -salt -k "Your-Password-Here" | tar xzf -

Where,

  • dd : Convert and copy a file.
  • /dev/st0 : Tape device name.
  • openssl : The OpenSSL toolkit command line utility.
  • tar : The tar archiving utility.
  • des3 : Triple-DES Cipher (Triple DES is the common name for the Triple Data Encryption Algorithm).
  • -salt : The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay. Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted. (source enc man page)

Hardware vs Software Encryption

The software encryption is different from the hardware encryption. The hadrware based encryption needs additional software+hardware and it use keys (and/or password) to protect data. I suggest you read vendor site such as HP or IBM to get further details on hardware encryption which may or may not be supported by your backup devices.

Was this answer helpful?

 Print this Article

Also Read

TightVNC Desktop

1. Installing the required packages   The server package is called 'vnc-server'. Run the...

Changing Default SSH port From 22

nano /etc/ssh/sshd_configLook for#Port 22Change "22" to the port you wish to use.CTRL + X, Save...

CentOS / Redhat: Install KVM Virtualization Software

Required Packages You must install the following packages: kmod-kvm : kvm kernel module(s)...

nginx: Send Custom HTTP Headers

How do I send or set arbitrary HTTP headers using nginx web server? You need to use add_header...

How do I find out System / Server Memory Utilization

free command example Type the free command at shell prompt: $ free $ free -m Output:...