[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1803
  • Last Modified:

Encrypt/Decrypt using OpenSSL on Linux

I am trying to setup scripts to encrypt a backup in a tarball to a tape drive and then read the tape and/or restore the data and I am getting errors.

I am running under Ubuntu Server 6.06 and using OpenSSL version 0.9.8a.  I am logged in as root user.

I created a script with the following command to backup data to tape:
tar cvf - -T $FILELIST | openssl enc -aes-256-cbc -salt -pass pass:A1b2C3d4E5f6 | dd of=/dev/st0 obs=512 conv=sync

note $FILELIST is location of file containg what is to be backed up


I created a script with the following command to read the contents of the backup tape:
dd if=/dev/st0 | openssl enc -d -aes-256-cbc -pass pass:A1b2C3d4E5f6 | tar tvf -

I created a script with the following command to restore the contents of the backup tape:
dd if=/dev/st0 | openssl enc -d -aes-256-cbc -pass pass:123456 | tar xvf -

The backup runs without any errors.

If I run the tape read or tape restore scripts, the process runs and either displays all the files that were backup or restores all the files correctly, but gives me the following error:

bad decrypt 9670:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:454:

Everything seems to have worked correctly but I receive the error each time.  I have tried this just using the encryption directly to a file without the tape drive and there is not error on read or restore.  It seems to be a tape issue.  Is it possible that it is trying to decrypt a block at the end of the tapes that are not really part of the tar?

Any help is appreciated.
0
phetherington
Asked:
phetherington
  • 4
  • 4
  • 3
  • +1
1 Solution
 
Duncan RoeSoftware DeveloperCommented:
Yes it seems likely. Tapes are a pain - I used them for years but backup to USB HDD now - cheaper per gigabyte and soooooo much more convenient (except when it spins down).
If sticking with tapes, you might like to try tar's --use-compress-program option to run openssl enc. You would need to do it through a script which accepts -d to decrypt, because that is what tar gives to compressors to decompress. Then there is no need to write fixed-length tape blocks with dd.
0
 
ArneLoviusCommented:
0
 
ahoffmannCommented:
did your try with ibs=512 option for dd?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
phetheringtonAuthor Commented:
Duncan_Roe: I need to use tapes as the backup needs to be taken off site for storage and I need a 14 day rotation of backups.  Using the --use-compress-program would require another program to be installed and this can not be done (See answer to ArneLovius)

ArneLovius: This server is provided by a service company and we are not allowed to install any programs other than what is already loaded on the server.  This means after checking what was loaded, I was pretty much limited to tar | openSSL | dd.  If this wasn't the case, I would have definitely looked at other software specifically designed for tape backups.

ahoffmann:  tried using the ibs=512 on the dd command but instead of receiving the error at the end of the process, it would give the error "7723:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:" after each block read in and then finally give the error "gzip: stdin: decompression OK, trailing garbage ignored, tar: Child returned status 2, tar: Error exit delayed from previous errors" at the end.

Thanks for the suggestions.  Starting to think that there may be no way to get rid of the final error and will just need to ignore it...
0
 
ArneLoviusCommented:
Try adding  the "-nopad" option to your backup command.

http://www.openssl.org/docs/apps/enc.html
0
 
ahoffmannCommented:
quote from openssl's enc man-page:
    If padding is disabled then the input data must be a multiple of the cipher block length.

hence I assume that using -nopad will only change the error message

I had also padding in mind when I suggested the ibs= option

looking at the quote (see above) I think that the stream length must be a multiple of the cipher block length, this means that the a proper padding must be computed before encrypting and added to the stream

@phetherington, can you compute the length of the data first?
0
 
ArneLoviusCommented:
0
 
phetheringtonAuthor Commented:
ArneLovius and ahoffmann, I did try the -nopad and as stated, it actually caused more errors after each block read in.  The link provided by ArneLovius talked about adding the -nopad working, but it did not work for me on two different machines.  Switching to rc4 streaming cypher seemed to work for them but we needed the security of aes.  I am starting to think it is not so much a problem as everything lists/decrypts correctly, you are just left with the error at the end due to it trying to decrypt the tail block of the tape.
0
 
ahoffmannCommented:
> ... but we needed the security of aes
why is aes better than rc4, in your opinion?
0
 
phetheringtonAuthor Commented:
I am not going to get in to a this is better then that debate as that is not the issue I brought to the table.  The Client stated that that was the encryption method that they wanted and that's what I needed to deliver.

At this point I think the question has no real answer and since the restore actually does complete correctly even though the error appears at the end, I am going to consider this a closed issue.
0
 
phetheringtonAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for phetherington's comment #a38942318

for the following reason:

As stated, there does not seem to be a real answer to this issue using a tape and the actual backup and restore are correctly running even though it kicks out the error at the end of the process.
0
 
ArneLoviusCommented:
I would suggest that 38836755 should be marked as the answer
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 4
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now