Solved

Secure Backup software with asymmetric encryption RSA, openSSL

Posted on 2014-09-23
6
363 Views
Last Modified: 2014-12-08
Hi,
I need backup solution/software to backup data on usb keys and secure it with public key,
asymmetric  encryption.
I know how to create public/private key, how to encrypt/decrypt single file.
But I dont know how to make script than can encrypt folder with multiple files and move encrypted files  to another location.

Platform is Windows 8

thanks
0
Comment
Question by:Maddogslo
  • 3
  • 2
6 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40340566
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40341914
Best not to - seriously.

Your best bet is to use whole disk encryption on the usb device - PGP sell a version of WDE that uses RSA keys, (actually, pgp keys, so other algos supported) - although symmetric keys are fine for that provided you keep them unique - and once mounted, you can just drag files onto there, and indeed treat the usb drive as you would any other usb device (with the only real difference being once dismounted, the usb will be unreadable without the key to re-mount it)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40341926
btan's suggestion of 7z is a good one though. while 7z doesn't use asymmetric keys, you could easily write a simple text file to hold a randomly generated symmetric key, use the symmetric key to encrypt an entire directory structure into an archive (optionally hiding the file names) then encrypt the text file with the hybrid scheme of your choice (ssl, pgp, whatever)
0
Google Storage: Standard vs. Nearline vs. Coldline

Google Cloud Storage has a number of classes to choose from. Although there are a lot in common, they vary in price and usage terms. This post explains Google Cloud Storage classes and helps to understand which  one to choose.

 
LVL 61

Expert Comment

by:btan
ID: 40341939
indeed manual backup is not going to be very operationally friendly and if script failed - will script be smart enough to recover, and alert instead of skipping and left files not protected yet copy over...too many permutation for own scripting. It is always best to have some sort of NAS / SAN encryption where possible, but cost is a deterrence. However, we cannot be penny wise pound foolish.

...even bitlocker is already some sort of disk encryption and you can identify data volume (if that is the place to store the backup copies. Other similar approach using encrypted volume where a partition is assigned to be encrypted and eventually back it up (there is secure container from truecryp and axcrypt), likewise if it is VM based then it is a file by itself

 ... the incremental and differential backup is challenging for both
0
 

Author Comment

by:Maddogslo
ID: 40341982
We have IronKey USB S250 16GB.

Ironkey is great product, weak point is backup, which is secured/encrypted with user password and can be brute forced.
We need asymmetric encryption, with public 4096 bit key

I used this command OpenSSL to encrypt file, with asymmetric encryption I get problem to decrypt files they are larger then 800MB
smime  -encrypt -aes256  -in archive.zip  -binary  -outform DEM  -out  archive_encrypted.zip  main_public.pem

decrypt command for OpenSSL
smime -decrypt  -in  archive_encrypted.zip  -binary -inform DEM -inkey main_private.pem  -out  arcive_decrypted.zip

I need script or some guidance how:
-  to encrypt  files (all files in selected folders)
-  then compact encrypted files (7zip)
-  then transfer files to NAS (we use Synology)
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40342281
well, first you want to compress THEN encrypt - encrypted data is not compressible.

but if you look at your own command examples, you will find you are using AES@256 bit for your encryption, and protecting only the key with RSA.  If your script does this explicitly (using "7z a -p" and a pseudorandomly generated password) you then have the simpler task of how to use RSA to protect a short pw string.

you can of course just use "7z a" to create an unencrypted archive then encrypt that archive with openssl (using the command you posted) but you then need sufficient staging space to stage the backup before you can encrypt it. with "7z a -p" you could encrypt and write the 7z archive directly to the nas in a single operation, then just need to securely transfer the password and you are done - and that can even be added into the same 7z archive after it is created, to give you a single-file backup - for that you would be more likely to use rsautl (rather than smime) and supply the password on stdin, with output being to something like <backup-datestamp>.key - which you than use "7z a" (without -p, obviously) to append to your existing backup 7z file. no staging space needed, no certificate needed (you just need the public key) and only decryptable with the aid of the private key (which you will then need to keep very safe :)
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now