Linux / UNIX: Encrypt Backup Tape Using Tar & OpenSSL

by on March 25, 2010 · 5 comments· LAST UPDATED March 26, 2010

in , ,

How do I make sure only authorized person access my backups stored on the tape drives (DAT, DLT, LTO-4 etc) under Linux or UNIX operating systems? How do I backup /array22/vol4/home/ to /dev/rmt/5mn or /dev/st0 in encrypted mode?

You can easily encrypt data to tape using combination of tar and openssl commands. The following is software based solution based upon encryption algorithms supported by openssl tool. Encrypted backup should be used when storing sensitive data on removable media or when storing backups on shared NAS / SAN servers or online backup servers. When using encryption the openssl ask for a password before you can create, view, open, or restore the files included in the backup. This is based upon pipes concept.

Backup Data

The following shows an example of writing the contents of "tapetest" to tape:

tar zcvf - /array22/vol4/home | openssl des3 -salt | dd of=/dev/st0

An encryption password would be entered by the administrator or backup operator i.e. the above will encrypt a tape using triple DES in CBC mode using a prompted password. You can put password in script itself:

tar zcvf - /array22/vol4/home | openssl des3 -salt  -k "Your-Password-Here" | dd of=/dev/st0

Reading (listing) Files

Type the command as follows:

dd if=/dev/st0 | openssl des3 -d -salt | tar ztvf -

OR

dd if=/dev/st0 | openssl des3 -d -salt -k "Your-Password-Here" | tar ztvf -

Restore The Data

Use the following command to read and restore data back:

dd if=/dev/st0 | openssl des3 -d -salt | tar xzf -

OR

dd if=/dev/st0 | openssl des3 -d -salt -k "Your-Password-Here" | tar xzf -

Where,

  • dd : Convert and copy a file.
  • /dev/st0 : Tape device name.
  • openssl : The OpenSSL toolkit command line utility.
  • tar : The tar archiving utility.
  • des3 : Triple-DES Cipher (Triple DES is the common name for the Triple Data Encryption Algorithm).
  • -salt : The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay. Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted. (source enc man page)

Hardware vs Software Encryption

The software encryption is different from the hardware encryption. The hadrware based encryption needs additional software+hardware and it use keys (and/or password) to protect data. I suggest you read vendor site such as HP or IBM to get further details on hardware encryption which may or may not be supported by your backup devices.

See also:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 5 comments… read them below or add one }

1 Jordi April 1, 2010 at 7:55 am

That was awesome!
Thanks a lot for writing this article.

Reply

2 Rev April 1, 2010 at 2:38 pm

Thank you for the article but isn’t it outdated?

I mean I can imagine large companies still use tapes to store backups.

I can also imagine inexperienced users using DES instead of AES to backup their data.

But the combination of those seems rather unlikely to me.

Reply

3 hideaki May 6, 2010 at 10:35 pm

Useless use of dd (not cat this time, but close).

dd if=/dev/st0 | openssl des3 -d -salt | tar xzf -
should be
openssl des3 -d -salt </dev/st0 | tar -xzf-

And who uses DES (even 3DES) these days… bah.

Reply

4 jane August 23, 2010 at 8:13 pm

What if the tape is not enough for the backup, how do I let the drive ask for a second tape to be inserted?

Reply

5 mayank December 7, 2011 at 8:21 pm

1. What if the tape is not enough for the backup (while the back-up is running), will the tar back-up will prompt for a new tape.

2. lets assume we are taking back up of folder /back/25/
tar -cvf /dev/st0 /back/25/
its is successfully complete’s
but the next time when i try to fire a new folder back up on the same tape.
tar -cvf /dev/st0 /back/26/
it complete’s but the problem is that it get overwrite . my 25 folder is missing.
i need some suggestion on this… how do i taken multiple folder back up (the folder which get generated on the nxt day) on the same tape without overwriting the tape..

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: