Tape Encryption


 
Thread Tools Search this Thread
Operating Systems AIX Tape Encryption
# 1  
Old 09-20-2018
Tape Encryption

Hi guys:
I've been trying to find information about how to encrypt a backup to tape (I'm using a couple of simple commands: tar, find | backup), I didn't find a real example of how to do that, just a couple of white papers and information about the methods that use the backup, policies, etc.

I don't know also if there's a free-cost solution and the solutions presented has the problem that I need an intermediate server (for example using TKM Tivoli Key Manager), so in a case of a real recovery I will need this server for restoration. I don't want a complex solution, since I only have one tape drive (and one backup), I just need to encrypt one tape and have a simple solution to restore it in another site (without the fear that if the tape is stolen, somebody could restore).

Does exists a solution like that? Any recommendations will be welcome.

Thanks!
# 2  
Old 09-20-2018
Do you mean something like?

Code:
tar cvf - /myOracleDB | gzip -c |openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1

# 3  
Old 09-21-2018
Make sure you have the secret key stored securely and you are able to recover that by another method, i.e. not from the tape you just encrypted it on to.

Don't laugh, but I've been on a recovery test where we had to connect back to the live servers to get the key. Not great seeing as we were pretending that we'd had an incident meaning all our live servers were dead.


backup is one thing, but making sure you can restore is quite another - and rather useful to prove.



Robin
# 4  
Old 09-21-2018
Thanks for your suggestions guys, I found this alternative once and works very well, the problem is that tar supports files under 2GB, and the filesystems backed up with restore are very, very big (some files more than 200GB) I did a test once with openssl and simply doesn't works.


Also since encryption add time to encrypt using another tool, maybe it's time to consider something native like IBM tape encryption solution or more.


Thanks anyway, I'd like to keep open this post and I'll be posting the advance.


Regards,
FerGo.
# 5  
Old 09-21-2018
You can try pax, the Posix tar.
It still has restrictions regarding the length of a file name.
E.g. dirpath <= 150 characters and filepath <= 100 characters.
But no restrictions on UIDs or file size.
A comparison:

Create archive on stdin:
Code:
tar cf -
pax -w

List archive from stdin:
Code:
tar tf -
pax

Extract archive from stdin:
Code:
tar xf -
pax -r

A test run:
Code:
tar cf - /tmp | tar tf -
pax -w /tmp | pax

Code:
man pax

tells about these and more options.
This User Gave Thanks to MadeInGermany For This Post:
# 6  
Old 09-22-2018
Quote:
Originally Posted by AixExplorer
Thanks for your suggestions guys, I found this alternative once and works very well, the problem is that tar supports files under 2GB, and the filesystems backed up with restore are very, very big (some files more than 200GB) I did a test once with openssl and simply doesn't works.
Understood. But notice that in Neos method every piece has a certain, distinct role:

Quote:
Originally Posted by Neo
Code:
tar cvf - /myOracleDB | gzip -c |openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1

Code:
tar cvf - /myOracleDB | gzip -c | openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1
---------------------   -------   --------------------------------------------------------- ----------
         |                 |                                 |                                  |
         |                 |                                 |                                  |
         |                 |                                 |                             redirects 
         |                 |                                 |                             this stream
         |                 |                                 |                             to tape
         |                 |                                 |                             instead of a
         |                 |                                 |                             file
         |                 |            further changes the data stream, now by            
         |                 |            by encrypting it
         |                 |            
         |              changes 
         |              the data
         |              stream by
         |              compressing
         |              it
         |
 creates a stream of
 data (the backup)

From this it follows that you just have to change the component which doesn't do its job according to specification - in this case the tar - and everything else can be left the same. Take any program that:

- can cope with 200GB-files
- doesn't create a file but can be told to write to stdout (like tar f -)

and you are good to plug that in instead of tar. pax, as suggested by MadeInGermany is such a program, but you surely can find others too. This is why creating software in small, distinct pieces instead of one big kludge is such a great idea. If the process above would have been done in one complex program you can either take that or leave it completely. Now you just change the one component and are again ready to go.

I hope that helps.

bakunin
This User Gave Thanks to bakunin For This Post:
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Cybersecurity

File encryption tools with MAC address as an encryption key

Hi all, I'm looking for secure file encryption tools that use MAC address as encryption key. FYI, I'm using Red Hat Enterprise Linux OS. For example: when A wants to send file to B A will encrypt the file with B's computer MAC/IP address as an encryption key This file can only be decrypted... (2 Replies)
Discussion started by: sergionicosta
2 Replies

2. AIX

Ejecting tape on AIX & Some Tape commands

I am trying to use this command to eject the tape mt -f /dev/rmt/0 unload but it gives me error mt -f /dev/rmt/0 unload mt: 0511-575 unload is not a recognized subcommand. Usage: mt Subcommand Valid subcommands are: weof eof fsf bsf ... (5 Replies)
Discussion started by: filosophizer
5 Replies

3. UNIX for Dummies Questions & Answers

Copying tape-to-tape on UNIX

I am using a 4mm tape to backup my Unix system. However, I wanted to make a copy all of the files and archive headers (or just the archive headers if that's possible) created on one of my tapes to another 4mm tape. I only have one tape drive. Is there a command that will complete such task? ... (1 Reply)
Discussion started by: acoco
1 Replies

4. AIX

How to make a copy of a tape to another tape?

Hello, We need to make a copy of a backup tape, using the 2 tape recorders in IBM 3582 Tape Library We tried tu use "tcopy", it seems to work fine (no error messages) but we aren't sure if we can rely on it. my question is how to check if the copy succeded or not, but i also want to know... (3 Replies)
Discussion started by: fastlane3000
3 Replies

5. SCO

Tape Status shows 2 Hard errors and 5 Underruns on new tape

when I do a tape status /dev/rStp0 I get the following on a new tape and I have tried several: Status : ready beginning-of-tape soft errors : 0 hard errors: 2 underruns: 5 My BackupEdge has stopped backing up my system because it asks for a new volume yet my total system data is under 20... (5 Replies)
Discussion started by: psytropic
5 Replies

6. UNIX for Dummies Questions & Answers

Mounting DLT tape and to backup file to tape

Hi there: I'm new here Can anyone help me: I have DS15 Alpha server : Unix 5.1B Now i need to connect a DLVT VS80 1U Rackmount Tape Drive unit. What is the exact comman to mount the DLTape IV?? How do i make backuo @ copy file to the tape? Thanx to all (0 Replies)
Discussion started by: ayzeayem
0 Replies

7. UNIX for Advanced & Expert Users

Space free on tape /delete a single file on tape

Hi, I' using a sun solaris server, I would like to known if there is the possibility to control how many space is free on a tape and how I can delete a single file on a tape. Thanks DOMENICO (3 Replies)
Discussion started by: Minguccio75
3 Replies

8. UNIX for Dummies Questions & Answers

File encryption/Key encryption ????

My dilemma, I need to send, deemed confidential, information via e-mail (SMTP). This information is sitting as a file on AIX. Typically I can send this data as a e-mail attachment via what we term a "mail filter" using telnet. I now would like to somehow encrypt the data and send it to a e-mail... (1 Reply)
Discussion started by: hugow
1 Replies
Login or Register to Ask a Question