Tape Encryption

Tags
aix, backup, encryption, tape

 
Thread Tools Search this Thread
# 1  
Old 09-20-2018
Tape Encryption

Hi guys:
I've been trying to find information about how to encrypt a backup to tape (I'm using a couple of simple commands: tar, find | backup), I didn't find a real example of how to do that, just a couple of white papers and information about the methods that use the backup, policies, etc.

I don't know also if there's a free-cost solution and the solutions presented has the problem that I need an intermediate server (for example using TKM Tivoli Key Manager), so in a case of a real recovery I will need this server for restoration. I don't want a complex solution, since I only have one tape drive (and one backup), I just need to encrypt one tape and have a simple solution to restore it in another site (without the fear that if the tape is stolen, somebody could restore).

Does exists a solution like that? Any recommendations will be welcome.

Thanks!
# 2  
Old 09-20-2018
Do you mean something like?

Code:
tar cvf - /myOracleDB | gzip -c |openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1

# 3  
Old 09-21-2018
Make sure you have the secret key stored securely and you are able to recover that by another method, i.e. not from the tape you just encrypted it on to.

Don't laugh, but I've been on a recovery test where we had to connect back to the live servers to get the key. Not great seeing as we were pretending that we'd had an incident meaning all our live servers were dead.


backup is one thing, but making sure you can restore is quite another - and rather useful to prove.



Robin
# 4  
Old 09-21-2018
Thanks for your suggestions guys, I found this alternative once and works very well, the problem is that tar supports files under 2GB, and the filesystems backed up with restore are very, very big (some files more than 200GB) I did a test once with openssl and simply doesn't works.


Also since encryption add time to encrypt using another tool, maybe it's time to consider something native like IBM tape encryption solution or more.


Thanks anyway, I'd like to keep open this post and I'll be posting the advance.


Regards,
FerGo.
# 5  
Old 09-21-2018
You can try pax, the Posix tar.
It still has restrictions regarding the length of a file name.
E.g. dirpath <= 150 characters and filepath <= 100 characters.
But no restrictions on UIDs or file size.
A comparison:

Create archive on stdin:
Code:
tar cf -
pax -w

List archive from stdin:
Code:
tar tf -
pax

Extract archive from stdin:
Code:
tar xf -
pax -r

A test run:
Code:
tar cf - /tmp | tar tf -
pax -w /tmp | pax

Code:
man pax

tells about these and more options.
This User Gave Thanks to MadeInGermany For This Post:
rbatte1 (09-25-2018)
# 6  
Old 09-22-2018
Quote:
Originally Posted by AixExplorer
Thanks for your suggestions guys, I found this alternative once and works very well, the problem is that tar supports files under 2GB, and the filesystems backed up with restore are very, very big (some files more than 200GB) I did a test once with openssl and simply doesn't works.
Understood. But notice that in Neos method every piece has a certain, distinct role:

Quote:
Originally Posted by Neo
Code:
tar cvf - /myOracleDB | gzip -c |openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1

Code:
tar cvf - /myOracleDB | gzip -c | openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1
---------------------   -------   --------------------------------------------------------- ----------
         |                 |                                 |                                  |
         |                 |                                 |                                  |
         |                 |                                 |                             redirects 
         |                 |                                 |                             this stream
         |                 |                                 |                             to tape
         |                 |                                 |                             instead of a
         |                 |                                 |                             file
         |                 |            further changes the data stream, now by            
         |                 |            by encrypting it
         |                 |            
         |              changes 
         |              the data
         |              stream by
         |              compressing
         |              it
         |
 creates a stream of
 data (the backup)

From this it follows that you just have to change the component which doesn't do its job according to specification - in this case the tar - and everything else can be left the same. Take any program that:

- can cope with 200GB-files
- doesn't create a file but can be told to write to stdout (like tar f -)

and you are good to plug that in instead of tar. pax, as suggested by MadeInGermany is such a program, but you surely can find others too. This is why creating software in small, distinct pieces instead of one big kludge is such a great idea. If the process above would have been done in one complex program you can either take that or leave it completely. Now you just change the one component and are again ready to go.

I hope that helps.

bakunin
This User Gave Thanks to bakunin For This Post:
rbatte1 (09-25-2018)

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
File encryption tools with MAC address as an encryption key sergionicosta Security 2 04-10-2014 02:43 AM
Ejecting tape on AIX & Some Tape commands filosophizer AIX 5 07-29-2012 03:14 PM
Copying tape-to-tape on UNIX acoco UNIX for Dummies Questions & Answers 1 03-08-2012 06:50 PM
How to make a copy of a tape to another tape? fastlane3000 AIX 3 08-30-2011 10:48 PM
Tape Status shows 2 Hard errors and 5 Underruns on new tape psytropic SCO 5 04-24-2008 02:29 PM
How to copy a tape into another tape ? Anonno AIX 1 01-25-2008 09:25 AM
Mounting DLT tape and to backup file to tape ayzeayem UNIX for Dummies Questions & Answers 0 08-14-2007 03:09 AM
Space free on tape /delete a single file on tape Minguccio75 UNIX for Advanced & Expert Users 3 12-21-2006 12:03 AM
File encryption/Key encryption ???? hugow UNIX for Dummies Questions & Answers 1 03-18-2006 04:29 PM
script encryption ppass Solaris 3 03-15-2005 09:49 PM
copy tape to tape using dd itsgeorge Solaris 2 04-14-2004 11:12 AM
encryption is possible?? trynew Shell Programming and Scripting 3 08-09-2002 02:03 PM
DES Encryption Maestin Programming 4 05-29-2002 03:12 PM