<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt'>
<p>I played around with it loading files and then encrypting them. I even uploaded a complete server file folder and encrypted that (took hours to encrypt...gave up). I was concerned about the files being encrypted in transfer. I think I saw that they had a method that encrypted in transfer but I'd be trusting their software. I preferred encrypting it on my side so it was safe the whole way and back.</p>
<p>If I understand correctly duplicity offers the best of both worlds allowing you to do a rsysnc update of compressed encrypted archives. This is ideal as rysnc backups only update the updated files. Also you can do things like copy your backup on the cloud as a snapshot and then rsync the original. Now you have snapshots for two weeks without additional transfer times.</p>
<p>Right now my first goal is to get encrypted backups on the cloud. Looks like it's going well, but it's still transferring the first server backup. It's set to backup half the servers Saturday morning and the other half Sunday.</p>
<p> </p>
<p>On 2016-04-16 06:24, Omar Eljumaily wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div class="moz-cite-prefix">Amazon seems to offer encryption through a setting. That may be easier than what you're attempting.<br /><a class="moz-txt-link-freetext" href="https://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/">https://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/</a><br /><br /> I use Google cloud, and they encrypt as a standard feature. <br /><a class="moz-txt-link-freetext" href="https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#encryption-at-rest">https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#encryption-at-rest</a><br /><br /> All Google Cloud Storage data are stored encrypted. For more information see <a class="reference external" href="https://cloud.google.com/storage/docs/concepts-techniques#encryption">Server-Side Encryption</a>.
<div id="encryption-at-rest" class="section">
<p>You can also provide your own encryption keys. For more information, see <a href="https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#id1"><span id="id2" class="problematic">``</span></a>gsutil help encryption </storage/docs/gsutil/addlhelp/SupplyingYourOwnEncryptionKeys>`_`.</p>
</div>
<br /> On 4/15/2016 7:35 PM, <a class="moz-txt-link-abbreviated" href="mailto:gandalf@sonic.net">gandalf@sonic.net</a> wrote:</div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">Hey, thanks. This looks real good. I'll start digging into it next week. I have even found a elaborate setup script just for Amazon. <br /><br /> On 2016-04-15 19:14, Aaron Grattafiori wrote: <br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">Checkout duplicity... <br /> On Apr 15, 2016 8:13 PM, <a class="moz-txt-link-rfc2396E" href="mailto:gandalf@sonic.net"><gandalf@sonic.net></a> wrote: <br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">Well I just got something working and am setting it up to work over <br /> the weekend. <br /><br /> tar -zcf - -C /backups/servers itdocs | openssl enc -aes-256-cbc <br /> -salt -pass <a class="moz-txt-link-freetext" href="file:/etc/backups/key.bin">file:/etc/backups/key.bin</a> | aws s3 cp - <br /> s3://XXXXXXX/servers/itdocs.160415.tar.gz.aes <br /><br /> I was able to reverse the command and have it create a fresh itdocs <br /> folder full of goodies in a tmp folder. The key.bin file is 2048 <br /> bytes of randomness: <br /><br /> openssl rand -base64 2048 -out key.bin <br /><br /> Is this any good? The sample I had only used 128 and I thought 2048 <br /> would be better. <br /><br /> I don't know how good this all is as backup encryption, but it <br /> looks like it should be as good as most. I'm not sure how it's going <br /> to handle the larger backups, but I guess I'll find out on Monday. <br /> It's set to do half Saturday morning and half Sunday morning. <br /><br /> On 2016-04-15 18:46, Zack Zatkin-Gold wrote: <br /> I was about to say -- usually when you see malloc errors in a piece <br /> of <br /> software, it's because that software is unable to allocate more <br /> memory! <br /><br /> On Fri, Apr 15, 2016 at 9:19 PM, <a class="moz-txt-link-rfc2396E" href="mailto:gandalf@sonic.net"><gandalf@sonic.net></a> wrote: <br /> I think I found the problem. The method works for large files but <br /> openssl <br /> loads the entire file into memory and hence it needs one gigabyte <br /> of memory <br /> available for every gigabyte of file. This method isn't going to <br /> work to <br /> encrypt a 500gig file and indeed breaks on my two gig test backup. <br /><br /> Anybody have any suggestions for encrypting very large backup <br /> files? <br /><br /> On 2016-04-15 15:41, <a class="moz-txt-link-abbreviated" href="mailto:gandalf@sonic.net">gandalf@sonic.net</a> wrote: <br /><br /> I was looking for a way to encrypt files using a key or keys and <br /> found <br /> this article: <br /><br /><br /></blockquote>
<a class="moz-txt-link-freetext" href="https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399">https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399</a> <br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">[1] <br /><br /> I tied it out and it worked, but oddly when I moved the keys to a <br /> different folder openssl said it couldn't find them. Of course I <br /> adjusted the encryption/description commands to point to the proper <br /> files. I moved them back to /root and suddenly they work. <br /><br /> Here's the command the article says to use to create keys: <br /> openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout <br /> MyCompanyBackupsPRIVATE.pem -out MyCompanyBackupsPublicCert.pem <br /> -subj <br /> '/' <br /><br /> Here's one of the errors I got: <br /> root@vault:/etc/backups/tmp# openssl smime -in <br /> itdocs.160415.tar.gz.aes -decrypt -binary -inform DEM -inkey <br /> ../MSRI-Backups-PRIVATE.pem | tar -zx -f - <br /> Error reading S/MIME message <br /> 139777656317600:error:07069041:memory buffer <br /> routines:BUF_MEM_grow_clean:malloc failure:buffer.c:159: <br /> 139777656317600:error:0D06B041:asn1 encoding <br /> routines:ASN1_D2I_READ_BIO:malloc failure:a_d2i_fp.c:242: <br /><br /> gzip: stdin: unexpected end of file <br /> tar: Child returned status 1 <br /> tar: Error is not recoverable: exiting now <br /><br /> Moved the pem files back to /root and everything works great. <br /> Although <br /> I find this reassuring I also find it disturbing as these keys are <br /> for <br /> encrypting backups and they may have to be manually typed in on a <br /> new <br /> system and used to restore an offsite backup from a disaster. I'd <br /> like <br /> to know that I can put these keys in folder and use them to decrypt <br /> backups. <br /><br /> _______________________________________________ <br /> talk mailing list <br /><a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a> <br /><a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> [2] <br /><br /> _______________________________________________ <br /> talk mailing list <br /><a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a> <br /><a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> [2] </blockquote>
_______________________________________________ <br /> talk mailing list <br /> <a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a> <br /> <a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> [2] <br /><br /><br /> Links: <br /> ------ <br /> [1] <br /><a class="moz-txt-link-freetext" href="https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399">https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399</a> <br /> [2] <a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> <br /><br /> _______________________________________________ <br /> talk mailing list <br /><a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a> <br /><a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> </blockquote>
_______________________________________________ <br /> talk mailing list <br /><a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a> <br /><a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a> </blockquote>
<br /><!-- html ignored --><br />
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">_______________________________________________<br /> talk mailing list<br /><a href="mailto:talk@nblug.org">talk@nblug.org</a><br /><a href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a></div>
</blockquote>
<p> </p>
<div> </div>
</body></html>