Tape Encryption


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Tape Encryption

Hi guys:
I've been trying to find information about how to encrypt a backup to tape (I'm using a couple of simple commands: tar, find | backup), I didn't find a real example of how to do that, just a couple of white papers and information about the methods that use the backup, policies, etc.

I don't know also if there's a free-cost solution and the solutions presented has the problem that I need an intermediate server (for example using TKM Tivoli Key Manager), so in a case of a real recovery I will need this server for restoration. I don't want a complex solution, since I only have one tape drive (and one backup), I just need to encrypt one tape and have a simple solution to restore it in another site (without the fear that if the tape is stolen, somebody could restore).

Does exists a solution like that? Any recommendations will be welcome.

Thanks!
# 2  
Do you mean something like?

Code:
tar cvf - /myOracleDB | gzip -c |openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1

# 3  
Make sure you have the secret key stored securely and you are able to recover that by another method, i.e. not from the tape you just encrypted it on to.

Don't laugh, but I've been on a recovery test where we had to connect back to the live servers to get the key. Not great seeing as we were pretending that we'd had an incident meaning all our live servers were dead.


backup is one thing, but making sure you can restore is quite another - and rather useful to prove.



Robin
# 4  
Thanks for your suggestions guys, I found this alternative once and works very well, the problem is that tar supports files under 2GB, and the filesystems backed up with restore are very, very big (some files more than 200GB) I did a test once with openssl and simply doesn't works.


Also since encryption add time to encrypt using another tool, maybe it's time to consider something native like IBM tape encryption solution or more.


Thanks anyway, I'd like to keep open this post and I'll be posting the advance.


Regards,
FerGo.
# 5  
You can try pax, the Posix tar.
It still has restrictions regarding the length of a file name.
E.g. dirpath <= 150 characters and filepath <= 100 characters.
But no restrictions on UIDs or file size.
A comparison:

Create archive on stdin:
Code:
tar cf -
pax -w

List archive from stdin:
Code:
tar tf -
pax

Extract archive from stdin:
Code:
tar xf -
pax -r

A test run:
Code:
tar cf - /tmp | tar tf -
pax -w /tmp | pax

Code:
man pax

tells about these and more options.
This User Gave Thanks to MadeInGermany For This Post:
# 6  
Quote:
Originally Posted by AixExplorer
Thanks for your suggestions guys, I found this alternative once and works very well, the problem is that tar supports files under 2GB, and the filesystems backed up with restore are very, very big (some files more than 200GB) I did a test once with openssl and simply doesn't works.
Understood. But notice that in Neos method every piece has a certain, distinct role:

Quote:
Originally Posted by Neo
Code:
tar cvf - /myOracleDB | gzip -c |openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1

Code:
tar cvf - /myOracleDB | gzip -c | openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1
---------------------   -------   --------------------------------------------------------- ----------
         |                 |                                 |                                  |
         |                 |                                 |                                  |
         |                 |                                 |                             redirects 
         |                 |                                 |                             this stream
         |                 |                                 |                             to tape
         |                 |                                 |                             instead of a
         |                 |                                 |                             file
         |                 |            further changes the data stream, now by            
         |                 |            by encrypting it
         |                 |            
         |              changes 
         |              the data
         |              stream by
         |              compressing
         |              it
         |
 creates a stream of
 data (the backup)

From this it follows that you just have to change the component which doesn't do its job according to specification - in this case the tar - and everything else can be left the same. Take any program that:

- can cope with 200GB-files
- doesn't create a file but can be told to write to stdout (like tar f -)

and you are good to plug that in instead of tar. pax, as suggested by MadeInGermany is such a program, but you surely can find others too. This is why creating software in small, distinct pieces instead of one big kludge is such a great idea. If the process above would have been done in one complex program you can either take that or leave it completely. Now you just change the one component and are again ready to go.

I hope that helps.

bakunin
This User Gave Thanks to bakunin For This Post:
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
File encryption tools with MAC address as an encryption key
sergionicosta
Hi all, I'm looking for secure file encryption tools that use MAC address as encryption key. FYI, I'm using Red Hat Enterprise Linux OS. For example: when A wants to send file to B A will encrypt the file with B's computer MAC/IP address as an encryption key This file can only be decrypted...... Cybersecurity
2
Cybersecurity
Tape Status shows 2 Hard errors and 5 Underruns on new tape
psytropic
when I do a tape status /dev/rStp0 I get the following on a new tape and I have tried several: Status : ready beginning-of-tape soft errors : 0 hard errors: 2 underruns: 5 My BackupEdge has stopped backing up my system because it asks for a new volume yet my total system data is under 20...... SCO
5
SCO
Space free on tape /delete a single file on tape
Minguccio75
Hi, I' using a sun solaris server, I would like to known if there is the possibility to control how many space is free on a tape and how I can delete a single file on a tape. Thanks DOMENICO... UNIX for Advanced & Expert Users
3
UNIX for Advanced & Expert Users
File encryption/Key encryption ????
hugow
My dilemma, I need to send, deemed confidential, information via e-mail (SMTP). This information is sitting as a file on AIX. Typically I can send this data as a e-mail attachment via what we term a "mail filter" using telnet. I now would like to somehow encrypt the data and send it to a e-mail...... UNIX for Dummies Questions & Answers
1
UNIX for Dummies Questions & Answers