<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">I've never heard of a server side cloud
      encryption hack.  Maybe you can give some examples.<br>
      <br>
      <br>
      On 4/16/2016 6:33 AM, Aaron Grattafiori wrote:<br>
    </div>
    <blockquote
cite="mid:CAFNk+g76BEy3iu=rYi3MmtK8ed-KD2Wh0UgyDkY2NiWJM7YoPQ@mail.gmail.com"
      type="cite">
      <p dir="ltr">Server side encryption isn't really a secure solution
        for most threat models, including typical cloud backup
        scenarios.</p>
      <p dir="ltr">Client side encryption is a better option, via
        something like duplicity, although you then have to remember to
        backup the (strongly password protected) encryption key
        somewhere. </p>
      <p dir="ltr">-Aaron</p>
      <div class="gmail_quote">On Apr 16, 2016 7:25 AM, "Omar Eljumaily"
        <<a moz-do-not-send="true" href="mailto:omar@omnicode.com">omar@omnicode.com</a>>
        wrote:<br type="attribution">
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000">
            <div>Amazon seems to offer encryption through a setting. 
              That may be easier than what you're attempting.<br>
              <a moz-do-not-send="true"
href="https://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/"
                target="_blank">https://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/</a><br>
              <br>
              I use Google cloud, and they encrypt as a standard
              feature. <br>
              <a moz-do-not-send="true"
href="https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#encryption-at-rest"
                target="_blank">https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#encryption-at-rest</a><br>
              <br>
              All Google Cloud Storage data are stored encrypted. For
              more information see <a moz-do-not-send="true"
href="https://cloud.google.com/storage/docs/concepts-techniques#encryption"
                target="_blank">Server-Side Encryption</a>.
              <div>
                <p>You can also provide your own encryption keys. For
                  more information, see <a moz-do-not-send="true"
href="https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#id1"
                    target="_blank"><span>``</span></a>gsutil help
                  encryption
                  </storage/docs/gsutil/addlhelp/SupplyingYourOwnEncryptionKeys>`_`.</p>
              </div>
              <br>
              On 4/15/2016 7:35 PM, <a moz-do-not-send="true"
                href="mailto:gandalf@sonic.net" target="_blank">gandalf@sonic.net</a>
              wrote:<br>
            </div>
            <blockquote type="cite">Hey, thanks. This looks real good.
              I'll start digging into it next week. I have even found a
              elaborate setup script just for Amazon. <br>
              <br>
              On 2016-04-15 19:14, Aaron Grattafiori wrote: <br>
              <blockquote type="cite">Checkout duplicity... <br>
                On Apr 15, 2016 8:13 PM, <a moz-do-not-send="true"
                  href="mailto:gandalf@sonic.net" target="_blank"><gandalf@sonic.net></a>
                wrote: <br>
                <br>
                <blockquote type="cite">Well I just got something
                  working and am setting it up to work over <br>
                  the weekend. <br>
                  <br>
                  tar -zcf - -C /backups/servers itdocs | openssl enc
                  -aes-256-cbc <br>
                  -salt -pass <a moz-do-not-send="true">file:/etc/backups/key.bin</a>
                  | aws s3 cp - <br>
                  s3://XXXXXXX/servers/itdocs.160415.tar.gz.aes <br>
                  <br>
                  I was able to reverse the command and have it create a
                  fresh itdocs <br>
                  folder full of goodies in a tmp folder. The key.bin
                  file is 2048 <br>
                  bytes of randomness: <br>
                  <br>
                  openssl rand -base64 2048 -out key.bin <br>
                  <br>
                  Is this any good? The sample I had only used 128 and I
                  thought 2048 <br>
                  would be better. <br>
                  <br>
                  I don't know how good this all is as backup
                  encryption, but it <br>
                  looks like it should be as good as most. I'm not sure
                  how it's going <br>
                  to handle the larger backups, but I guess I'll find
                  out on Monday. <br>
                  It's set to do half Saturday morning and half Sunday
                  morning. <br>
                  <br>
                  On 2016-04-15 18:46, Zack Zatkin-Gold wrote: <br>
                  I was about to say -- usually when you see malloc
                  errors in a piece <br>
                  of <br>
                  software, it's because that software is unable to
                  allocate more <br>
                  memory! <br>
                  <br>
                  On Fri, Apr 15, 2016 at 9:19 PM,  <a
                    moz-do-not-send="true"
                    href="mailto:gandalf@sonic.net" target="_blank"><a class="moz-txt-link-rfc2396E" href="mailto:gandalf@sonic.net"><gandalf@sonic.net></a></a>
                  wrote: <br>
                  I think I found the problem. The method works for
                  large files but <br>
                  openssl <br>
                  loads the entire file into memory and hence it needs
                  one gigabyte <br>
                  of memory <br>
                  available for every gigabyte of file. This method
                  isn't going to <br>
                  work to <br>
                  encrypt a 500gig file and indeed breaks on my two gig
                  test backup. <br>
                  <br>
                  Anybody have any suggestions for encrypting very large
                  backup <br>
                  files? <br>
                  <br>
                  On 2016-04-15 15:41, <a moz-do-not-send="true"
                    href="mailto:gandalf@sonic.net" target="_blank">gandalf@sonic.net</a>
                  wrote: <br>
                  <br>
                  I was looking for a way to encrypt files using a key
                  or keys and <br>
                  found <br>
                  this article: <br>
                  <br>
                  <br>
                </blockquote>
                <a moz-do-not-send="true"
href="https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399"
                  target="_blank">https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399</a>
                <br>
                <blockquote type="cite">[1] <br>
                  <br>
                  I tied it out and it worked, but oddly when I moved
                  the keys to a <br>
                  different folder openssl said it couldn't find them.
                  Of course I <br>
                  adjusted the encryption/description commands to point
                  to the proper <br>
                  files. I moved them back to /root and suddenly they
                  work. <br>
                  <br>
                  Here's the command the article says to use to create
                  keys: <br>
                  openssl req -x509 -nodes -days 100000 -newkey rsa:2048
                  -keyout <br>
                  MyCompanyBackupsPRIVATE.pem -out
                  MyCompanyBackupsPublicCert.pem <br>
                  -subj <br>
                  '/' <br>
                  <br>
                  Here's one of the errors I got: <br>
                  root@vault:/etc/backups/tmp# openssl smime -in <br>
                  itdocs.160415.tar.gz.aes -decrypt -binary -inform DEM
                  -inkey <br>
                  ../MSRI-Backups-PRIVATE.pem | tar -zx -f - <br>
                  Error reading S/MIME message <br>
                  139777656317600:error:07069041:memory buffer <br>
                  routines:BUF_MEM_grow_clean:malloc
                  failure:buffer.c:159: <br>
                  139777656317600:error:0D06B041:asn1 encoding <br>
                  routines:ASN1_D2I_READ_BIO:malloc
                  failure:a_d2i_fp.c:242: <br>
                  <br>
                  gzip: stdin: unexpected end of file <br>
                  tar: Child returned status 1 <br>
                  tar: Error is not recoverable: exiting now <br>
                  <br>
                  Moved the pem files back to /root and everything works
                  great. <br>
                  Although <br>
                  I find this reassuring I also find it disturbing as
                  these keys are <br>
                  for <br>
                  encrypting backups and they may have to be manually
                  typed in on a <br>
                  new <br>
                  system and used to restore an offsite backup from a
                  disaster. I'd <br>
                  like <br>
                  to know that I can put these keys in folder and use
                  them to decrypt <br>
                  backups. <br>
                  <br>
                  _______________________________________________ <br>
                  talk mailing list <br>
                  <a moz-do-not-send="true" href="mailto:talk@nblug.org"
                    target="_blank">talk@nblug.org</a> <br>
                  <a moz-do-not-send="true"
                    href="http://nblug.org/cgi-bin/mailman/listinfo/talk"
                    target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
                  [2] <br>
                  <br>
                  _______________________________________________ <br>
                  talk mailing list <br>
                  <a moz-do-not-send="true" href="mailto:talk@nblug.org"
                    target="_blank">talk@nblug.org</a> <br>
                  <a moz-do-not-send="true"
                    href="http://nblug.org/cgi-bin/mailman/listinfo/talk"
                    target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
                  [2] <br>
                </blockquote>
                 _______________________________________________ <br>
                 talk mailing list <br>
                 <a moz-do-not-send="true" href="mailto:talk@nblug.org"
                  target="_blank">talk@nblug.org</a> <br>
                 <a moz-do-not-send="true"
                  href="http://nblug.org/cgi-bin/mailman/listinfo/talk"
                  target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
                [2] <br>
                <br>
                <br>
                Links: <br>
                ------ <br>
                [1] <br>
                <a moz-do-not-send="true"
href="https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399"
                  target="_blank">https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399</a>
                <br>
                [2] <a moz-do-not-send="true"
                  href="http://nblug.org/cgi-bin/mailman/listinfo/talk"
                  target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
                <br>
                <br>
                _______________________________________________ <br>
                talk mailing list <br>
                <a moz-do-not-send="true" href="mailto:talk@nblug.org"
                  target="_blank">talk@nblug.org</a> <br>
                <a moz-do-not-send="true"
                  href="http://nblug.org/cgi-bin/mailman/listinfo/talk"
                  target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
                <br>
              </blockquote>
              _______________________________________________ <br>
              talk mailing list <br>
              <a moz-do-not-send="true" href="mailto:talk@nblug.org"
                target="_blank">talk@nblug.org</a> <br>
              <a moz-do-not-send="true"
                href="http://nblug.org/cgi-bin/mailman/listinfo/talk"
                target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
              <br>
            </blockquote>
            <br>
          </div>
          <br>
          _______________________________________________<br>
          talk mailing list<br>
          <a moz-do-not-send="true" href="mailto:talk@nblug.org">talk@nblug.org</a><br>
          <a moz-do-not-send="true"
            href="http://nblug.org/cgi-bin/mailman/listinfo/talk"
            rel="noreferrer" target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a><br>
          <br>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
talk mailing list
<a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a>
<a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>