[NBLUG/talk] Encrypting Files for Cloud Backup

Aaron Grattafiori aaron at digitalinfinity.net
Fri Apr 15 19:40:25 PDT 2016 

Yeah I recently set it up myself with unlimited cloud drive.

-Aaron
On Apr 15, 2016 8:35 PM, <gandalf at sonic.net> wrote:

> Hey, thanks. This looks real good. I'll start digging into it next week. I
> have even found a elaborate setup script just for Amazon.
>
> On 2016-04-15 19:14, Aaron Grattafiori wrote:
>
>> Checkout duplicity...
>> On Apr 15, 2016 8:13 PM, <gandalf at sonic.net> wrote:
>>
>> Well I just got something working and am setting it up to work over
>>> the weekend.
>>>
>>> tar -zcf - -C /backups/servers itdocs | openssl enc -aes-256-cbc
>>> -salt -pass file:/etc/backups/key.bin | aws s3 cp -
>>> s3://XXXXXXX/servers/itdocs.160415.tar.gz.aes
>>>
>>> I was able to reverse the command and have it create a fresh itdocs
>>> folder full of goodies in a tmp folder. The key.bin file is 2048
>>> bytes of randomness:
>>>
>>> openssl rand -base64 2048 -out key.bin
>>>
>>> Is this any good? The sample I had only used 128 and I thought 2048
>>> would be better.
>>>
>>> I don't know how good this all is as backup encryption, but it
>>> looks like it should be as good as most. I'm not sure how it's going
>>> to handle the larger backups, but I guess I'll find out on Monday.
>>> It's set to do half Saturday morning and half Sunday morning.
>>>
>>> On 2016-04-15 18:46, Zack Zatkin-Gold wrote:
>>> I was about to say -- usually when you see malloc errors in a piece
>>> of
>>> software, it's because that software is unable to allocate more
>>> memory!
>>>
>>> On Fri, Apr 15, 2016 at 9:19 PM,  <gandalf at sonic.net> wrote:
>>> I think I found the problem. The method works for large files but
>>> openssl
>>> loads the entire file into memory and hence it needs one gigabyte
>>> of memory
>>> available for every gigabyte of file. This method isn't going to
>>> work to
>>> encrypt a 500gig file and indeed breaks on my two gig test backup.
>>>
>>> Anybody have any suggestions for encrypting very large backup
>>> files?
>>>
>>> On 2016-04-15 15:41, gandalf at sonic.net wrote:
>>>
>>> I was looking for a way to encrypt files using a key or keys and
>>> found
>>> this article:
>>>
>>>
>>>
>> https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399
>>
>>> [1]
>>>
>>> I tied it out and it worked, but oddly when I moved the keys to a
>>> different folder openssl said it couldn't find them. Of course I
>>> adjusted the encryption/description commands to point to the proper
>>> files. I moved them back to /root and suddenly they work.
>>>
>>> Here's the command the article says to use to create keys:
>>> openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout
>>> MyCompanyBackupsPRIVATE.pem -out MyCompanyBackupsPublicCert.pem
>>> -subj
>>> '/'
>>>
>>> Here's one of the errors I got:
>>> root at vault:/etc/backups/tmp# openssl smime -in
>>> itdocs.160415.tar.gz.aes -decrypt -binary -inform DEM -inkey
>>> ../MSRI-Backups-PRIVATE.pem | tar -zx -f -
>>> Error reading S/MIME message
>>> 139777656317600:error:07069041:memory buffer
>>> routines:BUF_MEM_grow_clean:malloc failure:buffer.c:159:
>>> 139777656317600:error:0D06B041:asn1 encoding
>>> routines:ASN1_D2I_READ_BIO:malloc failure:a_d2i_fp.c:242:
>>>
>>> gzip: stdin: unexpected end of file
>>> tar: Child returned status 1
>>> tar: Error is not recoverable: exiting now
>>>
>>> Moved the pem files back to /root and everything works great.
>>> Although
>>> I find this reassuring I also find it disturbing as these keys are
>>> for
>>> encrypting backups and they may have to be manually typed in on a
>>> new
>>> system and used to restore an offsite backup from a disaster. I'd
>>> like
>>> to know that I can put these keys in folder and use them to decrypt
>>> backups.
>>>
>>> _______________________________________________
>>> talk mailing list
>>> talk at nblug.org
>>> http://nblug.org/cgi-bin/mailman/listinfo/talk [2]
>>>
>>> _______________________________________________
>>> talk mailing list
>>> talk at nblug.org
>>> http://nblug.org/cgi-bin/mailman/listinfo/talk [2]
>>>
>>  _______________________________________________
>>  talk mailing list
>>  talk at nblug.org
>>  http://nblug.org/cgi-bin/mailman/listinfo/talk [2]
>>
>>
>> Links:
>> ------
>> [1]
>>
>> https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399
>> [2] http://nblug.org/cgi-bin/mailman/listinfo/talk
>>
>> _______________________________________________
>> talk mailing list
>> talk at nblug.org
>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nblug.org/pipermail/talk/attachments/20160416/5ba228dd/attachment.html>

More information about the talk mailing list