SecurityProNews Home Page About iEntry Article Archive News WebProWorld Forums Jayde iEntry Contact Advertise Downloads iEntry
^ click above ^
10.13.03



By Daniel J. Barrett, Richard Silverman, Robert G. Byrnes

Problem
You want to create an encrypted backup.

Solution
Method 1: Pipe through gpg.

To write a tape: 
$ tar cf - mydir | gpg -c | dd of=/dev/tape bs=10k
To read a tape: 
$ dd if=/dev/tape bs=10k | gpg --decrypt | tar xf -
To write an encrypted backup of directory mydir onto a CD-ROM:

Get SecurityConfig Newsletter Free -
">Click Here

 
#!/bin/sh

mkdir destdir

tar cf - mydir | gpg -c > destdir/myfile.tar.gpg

mkisofs -R -l destdir | cdrecord speed=${SPEED} 
     dev=${SCSIDEVICE} -
where SPEED and SCSIDEVICE are specific to your system; see cdrecord(1).

Method 2: Encrypt files separately.

Make a new directory containing links to your original files: 
$ cp -lr mydir newdir
In the new directory, encrypt each file, and remove the links to the unencrypted files: 
$ find newdir -type f -exec gpg -e '{}' ; -exec rm '{}' ;
Back up the new directory with the encrypted data: 
$ tar c newdir
Discussion
Method 1 produces a backup that may be considered fragile: one big encrypted file. If part of the backup gets corrupted, you might be unable to decrypt any of it.

Method 2 avoids this problem. The cp -l option creates hard links, which can only be used within a single filesystem. If you want the encrypted files on a separate filesystem, use symbolic links instead: 
$ cp -sr /full/path/to/mydir newdir

$ find newdir -type l -exec gpg -e '{}' ; -exec rm '{}' ;
Note that a full, absolute pathname must be used for the original directory in this case.

gpg does not preserve the owner, group, permissions, or modification times of the files. To retain this information in your backups, copy the attributes from the original files to the encrypted files, before the links to the original files are deleted: 
# find newdir -type f -exec gpg -e '{}' ; 

                      -exec chown --reference='{}' '{}.gpg' ;

                      -exec chmod --reference='{}' '{}.gpg' ;

                      -exec touch --reference='{}' '{}.gpg' ;

                          -exec rm '{}' ;
Method 2 and the CD-ROM variant of method 1 use disk space (at least temporarily) for the encrypted files.

See Also 
gpg(1), tar(1), find(1), cdrecord(1).
*Reprinted with the permission of the O'Reilly Network.


About the Author:
The Linux Security Cookbook includes real solutions to a wide range of targeted problems, such as sending encrypted email within Emacs, restricting access to network services at particular times of day, firewalling a webserver, preventing IP spoofing, setting up key-based SSH authentication, and much more. With over 150 ready-to-use scripts and configuration files, this unique book helps administrators secure their systems without having to look up specific syntax. cover


Read this newsletter at: http://www.securitypronews.com/2003/1013.html

Free Newsletters
Part of the iEntry Network
over 4 million subscribers
SecurityProNews
ITcertificationNews
LinuxProNews

Send me relevant info on products and services.

 

 

From the Forum:
The best Operating System?

What OS do you have installed?
Are you satisfied with it?
Why is it so special?

Click here

 

 

-- SecurityProNews is an iEntry, Inc. publication --
2003 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article