phetherington
asked on
Encrypt/Decrypt using OpenSSL on Linux
I am trying to setup scripts to encrypt a backup in a tarball to a tape drive and then read the tape and/or restore the data and I am getting errors.
I am running under Ubuntu Server 6.06 and using OpenSSL version 0.9.8a. I am logged in as root user.
I created a script with the following command to backup data to tape:
tar cvf - -T $FILELIST | openssl enc -aes-256-cbc -salt -pass pass:A1b2C3d4E5f6 | dd of=/dev/st0 obs=512 conv=sync
note $FILELIST is location of file containg what is to be backed up
I created a script with the following command to read the contents of the backup tape:
dd if=/dev/st0 | openssl enc -d -aes-256-cbc -pass pass:A1b2C3d4E5f6 | tar tvf -
I created a script with the following command to restore the contents of the backup tape:
dd if=/dev/st0 | openssl enc -d -aes-256-cbc -pass pass:123456 | tar xvf -
The backup runs without any errors.
If I run the tape read or tape restore scripts, the process runs and either displays all the files that were backup or restores all the files correctly, but gives me the following error:
bad decrypt 9670:error:06065064:digita
Everything seems to have worked correctly but I receive the error each time. I have tried this just using the encryption directly to a file without the tape drive and there is not error on read or restore. It seems to be a tape issue. Is it possible that it is trying to decrypt a block at the end of the tapes that are not really part of the tar?
Any help is appreciated.
I am running under Ubuntu Server 6.06 and using OpenSSL version 0.9.8a. I am logged in as root user.
I created a script with the following command to backup data to tape:
tar cvf - -T $FILELIST | openssl enc -aes-256-cbc -salt -pass pass:A1b2C3d4E5f6 | dd of=/dev/st0 obs=512 conv=sync
note $FILELIST is location of file containg what is to be backed up
I created a script with the following command to read the contents of the backup tape:
dd if=/dev/st0 | openssl enc -d -aes-256-cbc -pass pass:A1b2C3d4E5f6 | tar tvf -
I created a script with the following command to restore the contents of the backup tape:
dd if=/dev/st0 | openssl enc -d -aes-256-cbc -pass pass:123456 | tar xvf -
The backup runs without any errors.
If I run the tape read or tape restore scripts, the process runs and either displays all the files that were backup or restores all the files correctly, but gives me the following error:
bad decrypt 9670:error:06065064:digita
Everything seems to have worked correctly but I receive the error each time. I have tried this just using the encryption directly to a file without the tape drive and there is not error on read or restore. It seems to be a tape issue. Is it possible that it is trying to decrypt a block at the end of the tapes that are not really part of the tar?
Any help is appreciated.
You might consider looking at bacula
http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html
http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html
did your try with ibs=512 option for dd?
ASKER
Duncan_Roe: I need to use tapes as the backup needs to be taken off site for storage and I need a 14 day rotation of backups. Using the --use-compress-program would require another program to be installed and this can not be done (See answer to ArneLovius)
ArneLovius: This server is provided by a service company and we are not allowed to install any programs other than what is already loaded on the server. This means after checking what was loaded, I was pretty much limited to tar | openSSL | dd. If this wasn't the case, I would have definitely looked at other software specifically designed for tape backups.
ahoffmann: tried using the ibs=512 on the dd command but instead of receiving the error at the end of the process, it would give the error "7723:error:06065064:digita
Thanks for the suggestions. Starting to think that there may be no way to get rid of the final error and will just need to ignore it...
ArneLovius: This server is provided by a service company and we are not allowed to install any programs other than what is already loaded on the server. This means after checking what was loaded, I was pretty much limited to tar | openSSL | dd. If this wasn't the case, I would have definitely looked at other software specifically designed for tape backups.
ahoffmann: tried using the ibs=512 on the dd command but instead of receiving the error at the end of the process, it would give the error "7723:error:06065064:digita
Thanks for the suggestions. Starting to think that there may be no way to get rid of the final error and will just need to ignore it...
quote from openssl's enc man-page:
If padding is disabled then the input data must be a multiple of the cipher block length.
hence I assume that using -nopad will only change the error message
I had also padding in mind when I suggested the ibs= option
looking at the quote (see above) I think that the stream length must be a multiple of the cipher block length, this means that the a proper padding must be computed before encrypting and added to the stream
@phetherington, can you compute the length of the data first?
If padding is disabled then the input data must be a multiple of the cipher block length.
hence I assume that using -nopad will only change the error message
I had also padding in mind when I suggested the ibs= option
looking at the quote (see above) I think that the stream length must be a multiple of the cipher block length, this means that the a proper padding must be computed before encrypting and added to the stream
@phetherington, can you compute the length of the data first?
It seemed to work for somebody else
http://serverfault.com/questions/326658/encrypt-tape-files-with-openssl-and-tar
http://serverfault.com/questions/326658/encrypt-tape-files-with-openssl-and-tar
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> ... but we needed the security of aes
why is aes better than rc4, in your opinion?
why is aes better than rc4, in your opinion?
ASKER
I am not going to get in to a this is better then that debate as that is not the issue I brought to the table. The Client stated that that was the encryption method that they wanted and that's what I needed to deliver.
At this point I think the question has no real answer and since the restore actually does complete correctly even though the error appears at the end, I am going to consider this a closed issue.
At this point I think the question has no real answer and since the restore actually does complete correctly even though the error appears at the end, I am going to consider this a closed issue.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for phetherington's comment #a38942318
for the following reason:
As stated, there does not seem to be a real answer to this issue using a tape and the actual backup and restore are correctly running even though it kicks out the error at the end of the process.
Accepted answer: 0 points for phetherington's comment #a38942318
for the following reason:
As stated, there does not seem to be a real answer to this issue using a tape and the actual backup and restore are correctly running even though it kicks out the error at the end of the process.
I would suggest that 38836755 should be marked as the answer
If sticking with tapes, you might like to try tar's --use-compress-program option to run openssl enc. You would need to do it through a script which accepts -d to decrypt, because that is what tar gives to compressors to decompress. Then there is no need to write fixed-length tape blocks with dd.