<p dir="ltr">Server side encryption isn't really a secure solution for most threat models, including typical cloud backup scenarios.</p>
<p dir="ltr">Client side encryption is a better option, via something like duplicity, although you then have to remember to backup the (strongly password protected) encryption key somewhere. </p>
<p dir="ltr">-Aaron</p>
<div class="gmail_quote">On Apr 16, 2016 7:25 AM, "Omar Eljumaily" <<a href="mailto:omar@omnicode.com">omar@omnicode.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Amazon seems to offer encryption
through a setting. That may be easier than what you're
attempting.<br>
<a href="https://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/" target="_blank">https://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/</a><br>
<br>
I use Google cloud, and they encrypt as a standard feature. <br>
<a href="https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#encryption-at-rest" target="_blank">https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#encryption-at-rest</a><br>
<br>
All Google Cloud Storage data are stored encrypted. For more
information see
<a href="https://cloud.google.com/storage/docs/concepts-techniques#encryption" target="_blank">Server-Side
Encryption</a>.
<div>
<p>You can also provide your own encryption keys. For more
information, see
<a href="https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#id1" target="_blank"><span>``</span></a>gsutil help
encryption
</storage/docs/gsutil/addlhelp/SupplyingYourOwnEncryptionKeys>`_`.</p>
</div>
<br>
On 4/15/2016 7:35 PM, <a href="mailto:gandalf@sonic.net" target="_blank">gandalf@sonic.net</a> wrote:<br>
</div>
<blockquote type="cite">Hey, thanks. This looks real good. I'll start digging
into it next week. I have even found a elaborate setup script just
for Amazon.
<br>
<br>
On 2016-04-15 19:14, Aaron Grattafiori wrote:
<br>
<blockquote type="cite">Checkout duplicity...
<br>
On Apr 15, 2016 8:13 PM, <a href="mailto:gandalf@sonic.net" target="_blank"><gandalf@sonic.net></a> wrote:
<br>
<br>
<blockquote type="cite">Well I just got something working and am
setting it up to work over
<br>
the weekend.
<br>
<br>
tar -zcf - -C /backups/servers itdocs | openssl enc
-aes-256-cbc
<br>
-salt -pass <a>file:/etc/backups/key.bin</a> | aws s3 cp -
<br>
s3://XXXXXXX/servers/itdocs.160415.tar.gz.aes
<br>
<br>
I was able to reverse the command and have it create a fresh
itdocs
<br>
folder full of goodies in a tmp folder. The key.bin file is
2048
<br>
bytes of randomness:
<br>
<br>
openssl rand -base64 2048 -out key.bin
<br>
<br>
Is this any good? The sample I had only used 128 and I thought
2048
<br>
would be better.
<br>
<br>
I don't know how good this all is as backup encryption, but it
<br>
looks like it should be as good as most. I'm not sure how it's
going
<br>
to handle the larger backups, but I guess I'll find out on
Monday.
<br>
It's set to do half Saturday morning and half Sunday morning.
<br>
<br>
On 2016-04-15 18:46, Zack Zatkin-Gold wrote:
<br>
I was about to say -- usually when you see malloc errors in a
piece
<br>
of
<br>
software, it's because that software is unable to allocate
more
<br>
memory!
<br>
<br>
On Fri, Apr 15, 2016 at 9:19 PM, <a href="mailto:gandalf@sonic.net" target="_blank"><gandalf@sonic.net></a>
wrote:
<br>
I think I found the problem. The method works for large files
but
<br>
openssl
<br>
loads the entire file into memory and hence it needs one
gigabyte
<br>
of memory
<br>
available for every gigabyte of file. This method isn't going
to
<br>
work to
<br>
encrypt a 500gig file and indeed breaks on my two gig test
backup.
<br>
<br>
Anybody have any suggestions for encrypting very large backup
<br>
files?
<br>
<br>
On 2016-04-15 15:41, <a href="mailto:gandalf@sonic.net" target="_blank">gandalf@sonic.net</a> wrote:
<br>
<br>
I was looking for a way to encrypt files using a key or keys
and
<br>
found
<br>
this article:
<br>
<br>
<br>
</blockquote>
<a href="https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399" target="_blank">https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399</a>
<br>
<blockquote type="cite">[1]
<br>
<br>
I tied it out and it worked, but oddly when I moved the keys
to a
<br>
different folder openssl said it couldn't find them. Of course
I
<br>
adjusted the encryption/description commands to point to the
proper
<br>
files. I moved them back to /root and suddenly they work.
<br>
<br>
Here's the command the article says to use to create keys:
<br>
openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout
<br>
MyCompanyBackupsPRIVATE.pem -out
MyCompanyBackupsPublicCert.pem
<br>
-subj
<br>
'/'
<br>
<br>
Here's one of the errors I got:
<br>
root@vault:/etc/backups/tmp# openssl smime -in
<br>
itdocs.160415.tar.gz.aes -decrypt -binary -inform DEM -inkey
<br>
../MSRI-Backups-PRIVATE.pem | tar -zx -f -
<br>
Error reading S/MIME message
<br>
139777656317600:error:07069041:memory buffer
<br>
routines:BUF_MEM_grow_clean:malloc failure:buffer.c:159:
<br>
139777656317600:error:0D06B041:asn1 encoding
<br>
routines:ASN1_D2I_READ_BIO:malloc failure:a_d2i_fp.c:242:
<br>
<br>
gzip: stdin: unexpected end of file
<br>
tar: Child returned status 1
<br>
tar: Error is not recoverable: exiting now
<br>
<br>
Moved the pem files back to /root and everything works great.
<br>
Although
<br>
I find this reassuring I also find it disturbing as these keys
are
<br>
for
<br>
encrypting backups and they may have to be manually typed in
on a
<br>
new
<br>
system and used to restore an offsite backup from a disaster.
I'd
<br>
like
<br>
to know that I can put these keys in folder and use them to
decrypt
<br>
backups.
<br>
<br>
_______________________________________________
<br>
talk mailing list
<br>
<a href="mailto:talk@nblug.org" target="_blank">talk@nblug.org</a>
<br>
<a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> [2]
<br>
<br>
_______________________________________________
<br>
talk mailing list
<br>
<a href="mailto:talk@nblug.org" target="_blank">talk@nblug.org</a>
<br>
<a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> [2]
<br>
</blockquote>
_______________________________________________
<br>
talk mailing list
<br>
<a href="mailto:talk@nblug.org" target="_blank">talk@nblug.org</a>
<br>
<a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> [2]
<br>
<br>
<br>
Links:
<br>
------
<br>
[1]
<br>
<a href="https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399" target="_blank">https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399</a>
<br>
[2] <a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
<br>
<br>
_______________________________________________
<br>
talk mailing list
<br>
<a href="mailto:talk@nblug.org" target="_blank">talk@nblug.org</a>
<br>
<a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
<br>
</blockquote>
_______________________________________________
<br>
talk mailing list
<br>
<a href="mailto:talk@nblug.org" target="_blank">talk@nblug.org</a>
<br>
<a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
<br>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
talk mailing list<br>
<a href="mailto:talk@nblug.org">talk@nblug.org</a><br>
<a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" rel="noreferrer" target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a><br>
<br></blockquote></div>