[NBLUG/talk] Encrypting Files for Cloud Backup

gandalf at sonic.net gandalf at sonic.net
Fri Apr 15 19:13:37 PDT 2016


Well I just got something working and am setting it up to work over the 
weekend.

tar -zcf - -C /backups/servers itdocs | openssl enc -aes-256-cbc -salt 
-pass file:/etc/backups/key.bin | aws s3 cp - 
s3://XXXXXXX/servers/itdocs.160415.tar.gz.aes

I was able to reverse the command and have it create a fresh itdocs 
folder full of goodies in a tmp folder. The key.bin file is 2048 bytes 
of randomness:

openssl rand -base64 2048 -out key.bin

Is this any good? The sample I had only used 128 and I thought 2048 
would be better.

I don't know how good this all is as backup encryption, but it looks 
like it should be as good as most. I'm not sure how it's going to handle 
the larger backups, but I guess I'll find out on Monday. It's set to do 
half Saturday morning and half Sunday morning.





On 2016-04-15 18:46, Zack Zatkin-Gold wrote:
> I was about to say -- usually when you see malloc errors in a piece of
> software, it's because that software is unable to allocate more memory!
> 
> On Fri, Apr 15, 2016 at 9:19 PM,  <gandalf at sonic.net> wrote:
>> I think I found the problem. The method works for large files but 
>> openssl
>> loads the entire file into memory and hence it needs one gigabyte of 
>> memory
>> available for every gigabyte of file. This method isn't going to work 
>> to
>> encrypt a 500gig file and indeed breaks on my two gig test backup.
>> 
>> Anybody have any suggestions for encrypting very large backup files?
>> 
>> 
>> 
>> On 2016-04-15 15:41, gandalf at sonic.net wrote:
>>> 
>>> I was looking for a way to encrypt files using a key or keys and 
>>> found
>>> this article:
>>> 
>>> https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399
>>> 
>>> I tied it out and it worked, but oddly when I moved the keys to a
>>> different folder openssl said it couldn't find them. Of course I
>>> adjusted the encryption/description commands to point to the proper
>>> files. I moved them back to /root and suddenly they work.
>>> 
>>> Here's the command the article says to use to create keys:
>>> openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout
>>> MyCompanyBackupsPRIVATE.pem -out MyCompanyBackupsPublicCert.pem -subj
>>> '/'
>>> 
>>> 
>>> Here's one of the errors I got:
>>> root at vault:/etc/backups/tmp# openssl smime -in
>>> itdocs.160415.tar.gz.aes -decrypt -binary -inform DEM -inkey
>>> ../MSRI-Backups-PRIVATE.pem | tar -zx -f -
>>> Error reading S/MIME message
>>> 139777656317600:error:07069041:memory buffer
>>> routines:BUF_MEM_grow_clean:malloc failure:buffer.c:159:
>>> 139777656317600:error:0D06B041:asn1 encoding
>>> routines:ASN1_D2I_READ_BIO:malloc failure:a_d2i_fp.c:242:
>>> 
>>> gzip: stdin: unexpected end of file
>>> tar: Child returned status 1
>>> tar: Error is not recoverable: exiting now
>>> 
>>> Moved the pem files back to /root and everything works great. 
>>> Although
>>> I find this reassuring I also find it disturbing as these keys are 
>>> for
>>> encrypting backups and they may have to be manually typed in on a new
>>> system and used to restore an offsite backup from a disaster. I'd 
>>> like
>>> to know that I can put these keys in folder and use them to decrypt
>>> backups.
>>> 
>>> 
>>> _______________________________________________
>>> talk mailing list
>>> talk at nblug.org
>>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>> 
>> _______________________________________________
>> talk mailing list
>> talk at nblug.org
>> http://nblug.org/cgi-bin/mailman/listinfo/talk


More information about the talk mailing list