Solved

Secure Backup software with asymmetric encryption RSA, openSSL

Posted on 2014-09-23
6
389 Views
Last Modified: 2014-12-08
Hi,
I need backup solution/software to backup data on usb keys and secure it with public key,
asymmetric  encryption.
I know how to create public/private key, how to encrypt/decrypt single file.
But I dont know how to make script than can encrypt folder with multiple files and move encrypted files  to another location.

Platform is Windows 8

thanks
0
Comment
Question by:Maddogslo
  • 3
  • 2
6 Comments
 
LVL 62

Expert Comment

by:btan
ID: 40340566
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40341914
Best not to - seriously.

Your best bet is to use whole disk encryption on the usb device - PGP sell a version of WDE that uses RSA keys, (actually, pgp keys, so other algos supported) - although symmetric keys are fine for that provided you keep them unique - and once mounted, you can just drag files onto there, and indeed treat the usb drive as you would any other usb device (with the only real difference being once dismounted, the usb will be unreadable without the key to re-mount it)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40341926
btan's suggestion of 7z is a good one though. while 7z doesn't use asymmetric keys, you could easily write a simple text file to hold a randomly generated symmetric key, use the symmetric key to encrypt an entire directory structure into an archive (optionally hiding the file names) then encrypt the text file with the hybrid scheme of your choice (ssl, pgp, whatever)
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 62

Expert Comment

by:btan
ID: 40341939
indeed manual backup is not going to be very operationally friendly and if script failed - will script be smart enough to recover, and alert instead of skipping and left files not protected yet copy over...too many permutation for own scripting. It is always best to have some sort of NAS / SAN encryption where possible, but cost is a deterrence. However, we cannot be penny wise pound foolish.

...even bitlocker is already some sort of disk encryption and you can identify data volume (if that is the place to store the backup copies. Other similar approach using encrypted volume where a partition is assigned to be encrypted and eventually back it up (there is secure container from truecryp and axcrypt), likewise if it is VM based then it is a file by itself

 ... the incremental and differential backup is challenging for both
0
 

Author Comment

by:Maddogslo
ID: 40341982
We have IronKey USB S250 16GB.

Ironkey is great product, weak point is backup, which is secured/encrypted with user password and can be brute forced.
We need asymmetric encryption, with public 4096 bit key

I used this command OpenSSL to encrypt file, with asymmetric encryption I get problem to decrypt files they are larger then 800MB
smime  -encrypt -aes256  -in archive.zip  -binary  -outform DEM  -out  archive_encrypted.zip  main_public.pem

decrypt command for OpenSSL
smime -decrypt  -in  archive_encrypted.zip  -binary -inform DEM -inkey main_private.pem  -out  arcive_decrypted.zip

I need script or some guidance how:
-  to encrypt  files (all files in selected folders)
-  then compact encrypted files (7zip)
-  then transfer files to NAS (we use Synology)
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40342281
well, first you want to compress THEN encrypt - encrypted data is not compressible.

but if you look at your own command examples, you will find you are using AES@256 bit for your encryption, and protecting only the key with RSA.  If your script does this explicitly (using "7z a -p" and a pseudorandomly generated password) you then have the simpler task of how to use RSA to protect a short pw string.

you can of course just use "7z a" to create an unencrypted archive then encrypt that archive with openssl (using the command you posted) but you then need sufficient staging space to stage the backup before you can encrypt it. with "7z a -p" you could encrypt and write the 7z archive directly to the nas in a single operation, then just need to securely transfer the password and you are done - and that can even be added into the same 7z archive after it is created, to give you a single-file backup - for that you would be more likely to use rsautl (rather than smime) and supply the password on stdin, with output being to something like <backup-datestamp>.key - which you than use "7z a" (without -p, obviously) to append to your existing backup 7z file. no staging space needed, no certificate needed (you just need the public key) and only decryptable with the aid of the private key (which you will then need to keep very safe :)
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question