[NBLUG/talk] Encrypting Files for Cloud Backup

Aaron Grattafiori aaron at digitalinfinity.net
Fri Apr 15 19:14:44 PDT 2016


Checkout duplicity...
On Apr 15, 2016 8:13 PM, <gandalf at sonic.net> wrote:

> Well I just got something working and am setting it up to work over the
> weekend.
>
> tar -zcf - -C /backups/servers itdocs | openssl enc -aes-256-cbc -salt
> -pass file:/etc/backups/key.bin | aws s3 cp -
> s3://XXXXXXX/servers/itdocs.160415.tar.gz.aes
>
> I was able to reverse the command and have it create a fresh itdocs folder
> full of goodies in a tmp folder. The key.bin file is 2048 bytes of
> randomness:
>
> openssl rand -base64 2048 -out key.bin
>
> Is this any good? The sample I had only used 128 and I thought 2048 would
> be better.
>
> I don't know how good this all is as backup encryption, but it looks like
> it should be as good as most. I'm not sure how it's going to handle the
> larger backups, but I guess I'll find out on Monday. It's set to do half
> Saturday morning and half Sunday morning.
>
>
>
>
>
> On 2016-04-15 18:46, Zack Zatkin-Gold wrote:
>
>> I was about to say -- usually when you see malloc errors in a piece of
>> software, it's because that software is unable to allocate more memory!
>>
>> On Fri, Apr 15, 2016 at 9:19 PM,  <gandalf at sonic.net> wrote:
>>
>>> I think I found the problem. The method works for large files but openssl
>>> loads the entire file into memory and hence it needs one gigabyte of
>>> memory
>>> available for every gigabyte of file. This method isn't going to work to
>>> encrypt a 500gig file and indeed breaks on my two gig test backup.
>>>
>>> Anybody have any suggestions for encrypting very large backup files?
>>>
>>>
>>>
>>> On 2016-04-15 15:41, gandalf at sonic.net wrote:
>>>
>>>>
>>>> I was looking for a way to encrypt files using a key or keys and found
>>>> this article:
>>>>
>>>>
>>>> https://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/#comment-399
>>>>
>>>> I tied it out and it worked, but oddly when I moved the keys to a
>>>> different folder openssl said it couldn't find them. Of course I
>>>> adjusted the encryption/description commands to point to the proper
>>>> files. I moved them back to /root and suddenly they work.
>>>>
>>>> Here's the command the article says to use to create keys:
>>>> openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout
>>>> MyCompanyBackupsPRIVATE.pem -out MyCompanyBackupsPublicCert.pem -subj
>>>> '/'
>>>>
>>>>
>>>> Here's one of the errors I got:
>>>> root at vault:/etc/backups/tmp# openssl smime -in
>>>> itdocs.160415.tar.gz.aes -decrypt -binary -inform DEM -inkey
>>>> ../MSRI-Backups-PRIVATE.pem | tar -zx -f -
>>>> Error reading S/MIME message
>>>> 139777656317600:error:07069041:memory buffer
>>>> routines:BUF_MEM_grow_clean:malloc failure:buffer.c:159:
>>>> 139777656317600:error:0D06B041:asn1 encoding
>>>> routines:ASN1_D2I_READ_BIO:malloc failure:a_d2i_fp.c:242:
>>>>
>>>> gzip: stdin: unexpected end of file
>>>> tar: Child returned status 1
>>>> tar: Error is not recoverable: exiting now
>>>>
>>>> Moved the pem files back to /root and everything works great. Although
>>>> I find this reassuring I also find it disturbing as these keys are for
>>>> encrypting backups and they may have to be manually typed in on a new
>>>> system and used to restore an offsite backup from a disaster. I'd like
>>>> to know that I can put these keys in folder and use them to decrypt
>>>> backups.
>>>>
>>>>
>>>> _______________________________________________
>>>> talk mailing list
>>>> talk at nblug.org
>>>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>>>>
>>>
>>> _______________________________________________
>>> talk mailing list
>>> talk at nblug.org
>>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>>>
>> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nblug.org/pipermail/talk/attachments/20160416/f879df1a/attachment-0001.html>


More information about the talk mailing list