?
Solved

Encrypt/Decrypt using OpenSSL on Linux

Posted on 2013-01-23
14
Medium Priority
?
1,752 Views
Last Modified: 2013-03-06
I am trying to setup scripts to encrypt a backup in a tarball to a tape drive and then read the tape and/or restore the data and I am getting errors.

I am running under Ubuntu Server 6.06 and using OpenSSL version 0.9.8a.  I am logged in as root user.

I created a script with the following command to backup data to tape:
tar cvf - -T $FILELIST | openssl enc -aes-256-cbc -salt -pass pass:A1b2C3d4E5f6 | dd of=/dev/st0 obs=512 conv=sync

note $FILELIST is location of file containg what is to be backed up


I created a script with the following command to read the contents of the backup tape:
dd if=/dev/st0 | openssl enc -d -aes-256-cbc -pass pass:A1b2C3d4E5f6 | tar tvf -

I created a script with the following command to restore the contents of the backup tape:
dd if=/dev/st0 | openssl enc -d -aes-256-cbc -pass pass:123456 | tar xvf -

The backup runs without any errors.

If I run the tape read or tape restore scripts, the process runs and either displays all the files that were backup or restores all the files correctly, but gives me the following error:

bad decrypt 9670:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:454:

Everything seems to have worked correctly but I receive the error each time.  I have tried this just using the encryption directly to a file without the tape drive and there is not error on read or restore.  It seems to be a tape issue.  Is it possible that it is trying to decrypt a block at the end of the tapes that are not really part of the tar?

Any help is appreciated.
0
Comment
Question by:phetherington
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
14 Comments
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 38813723
Yes it seems likely. Tapes are a pain - I used them for years but backup to USB HDD now - cheaper per gigabyte and soooooo much more convenient (except when it spins down).
If sticking with tapes, you might like to try tar's --use-compress-program option to run openssl enc. You would need to do it through a script which accepts -d to decrypt, because that is what tar gives to compressors to decompress. Then there is no need to write fixed-length tape blocks with dd.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38815401
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38816613
did your try with ibs=512 option for dd?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 1

Author Comment

by:phetherington
ID: 38818334
Duncan_Roe: I need to use tapes as the backup needs to be taken off site for storage and I need a 14 day rotation of backups.  Using the --use-compress-program would require another program to be installed and this can not be done (See answer to ArneLovius)

ArneLovius: This server is provided by a service company and we are not allowed to install any programs other than what is already loaded on the server.  This means after checking what was loaded, I was pretty much limited to tar | openSSL | dd.  If this wasn't the case, I would have definitely looked at other software specifically designed for tape backups.

ahoffmann:  tried using the ibs=512 on the dd command but instead of receiving the error at the end of the process, it would give the error "7723:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:" after each block read in and then finally give the error "gzip: stdin: decompression OK, trailing garbage ignored, tar: Child returned status 2, tar: Error exit delayed from previous errors" at the end.

Thanks for the suggestions.  Starting to think that there may be no way to get rid of the final error and will just need to ignore it...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38819088
Try adding  the "-nopad" option to your backup command.

http://www.openssl.org/docs/apps/enc.html
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820122
quote from openssl's enc man-page:
    If padding is disabled then the input data must be a multiple of the cipher block length.

hence I assume that using -nopad will only change the error message

I had also padding in mind when I suggested the ibs= option

looking at the quote (see above) I think that the stream length must be a multiple of the cipher block length, this means that the a proper padding must be computed before encrypting and added to the stream

@phetherington, can you compute the length of the data first?
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38820581
0
 
LVL 1

Accepted Solution

by:
phetherington earned 2000 total points
ID: 38836755
ArneLovius and ahoffmann, I did try the -nopad and as stated, it actually caused more errors after each block read in.  The link provided by ArneLovius talked about adding the -nopad working, but it did not work for me on two different machines.  Switching to rc4 streaming cypher seemed to work for them but we needed the security of aes.  I am starting to think it is not so much a problem as everything lists/decrypts correctly, you are just left with the error at the end due to it trying to decrypt the tail block of the tape.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38837120
> ... but we needed the security of aes
why is aes better than rc4, in your opinion?
0
 
LVL 1

Author Comment

by:phetherington
ID: 38942318
I am not going to get in to a this is better then that debate as that is not the issue I brought to the table.  The Client stated that that was the encryption method that they wanted and that's what I needed to deliver.

At this point I think the question has no real answer and since the restore actually does complete correctly even though the error appears at the end, I am going to consider this a closed issue.
0
 
LVL 1

Author Comment

by:phetherington
ID: 38942359
I've requested that this question be closed as follows:

Accepted answer: 0 points for phetherington's comment #a38942318

for the following reason:

As stated, there does not seem to be a real answer to this issue using a tape and the actual backup and restore are correctly running even though it kicks out the error at the end of the process.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38942360
I would suggest that 38836755 should be marked as the answer
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question