Linux / UNIX: Encrypt Backup Tape Using Tar & OpenSSL

How do I make sure only authorized person access my backups stored on the tape drives (DAT, DLT, LTO-4 etc) under Linux or UNIX operating systems? How do I backup /array22/vol4/home/ to /dev/rmt/5mn or /dev/st0 in encrypted mode?

You can easily encrypt data to tape using combination of tar and openssl commands. The following is software based solution based upon encryption algorithms supported by openssl tool. Encrypted backup should be used when storing sensitive data on removable media or when storing backups on shared NAS / SAN servers or online backup servers. When using encryption the openssl ask for a password before you can create, view, open, or restore the files included in the backup. This is based upon pipes concept.

Backup Data

The following shows an example of writing the contents of “tapetest” to tape:

tar zcvf - /array22/vol4/home | openssl des3 -salt | dd of=/dev/st0

An encryption password would be entered by the administrator or backup operator i.e. the above will encrypt a tape using triple DES in CBC mode using a prompted password. You can put password in script itself:

tar zcvf - /array22/vol4/home | openssl des3 -salt  -k "Your-Password-Here" | dd of=/dev/st0

Reading (listing) Files

Type the command as follows:

dd if=/dev/st0 | openssl des3 -d -salt | tar ztvf -


dd if=/dev/st0 | openssl des3 -d -salt -k "Your-Password-Here" | tar ztvf -

Restore The Data

Use the following command to read and restore data back:

dd if=/dev/st0 | openssl des3 -d -salt | tar xzf -


dd if=/dev/st0 | openssl des3 -d -salt -k "Your-Password-Here" | tar xzf -


  • dd : Convert and copy a file.
  • /dev/st0 : Tape device name.
  • openssl : The OpenSSL toolkit command line utility.
  • tar : The tar archiving utility.
  • des3 : Triple-DES Cipher (Triple DES is the common name for the Triple Data Encryption Algorithm).
  • -salt : The -salt option should ALWAYS be used if the key is being derived from a password unless you want compatibility with previous versions of OpenSSL and SSLeay. Without the -salt option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason for this is that without the salt the same password always generates the same encryption key. When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted. (source enc man page)

Hardware vs Software Encryption

The software encryption is different from the hardware encryption. The hadrware based encryption needs additional software+hardware and it use keys (and/or password) to protect data. I suggest you read vendor site such as HP or IBM to get further details on hardware encryption which may or may not be supported by your backup devices.

See also:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 6 comments so far... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
6 comments… add one
  • Jordi Apr 1, 2010 @ 7:55

    That was awesome!
    Thanks a lot for writing this article.

  • Rev Apr 1, 2010 @ 14:38

    Thank you for the article but isn’t it outdated?

    I mean I can imagine large companies still use tapes to store backups.

    I can also imagine inexperienced users using DES instead of AES to backup their data.

    But the combination of those seems rather unlikely to me.

  • hideaki May 6, 2010 @ 22:35

    Useless use of dd (not cat this time, but close).

    dd if=/dev/st0 | openssl des3 -d -salt | tar xzf –
    should be
    openssl des3 -d -salt </dev/st0 | tar -xzf-

    And who uses DES (even 3DES) these days… bah.

  • jane Aug 23, 2010 @ 20:13

    What if the tape is not enough for the backup, how do I let the drive ask for a second tape to be inserted?

  • mayank Dec 7, 2011 @ 20:21

    1. What if the tape is not enough for the backup (while the back-up is running), will the tar back-up will prompt for a new tape.

    2. lets assume we are taking back up of folder /back/25/
    tar -cvf /dev/st0 /back/25/
    its is successfully complete’s
    but the next time when i try to fire a new folder back up on the same tape.
    tar -cvf /dev/st0 /back/26/
    it complete’s but the problem is that it get overwrite . my 25 folder is missing.
    i need some suggestion on this… how do i taken multiple folder back up (the folder which get generated on the nxt day) on the same tape without overwriting the tape..

  • Rafa Jun 17, 2016 @ 5:00

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @