When you have sensitive data that you need to transmit but want to make it easy to encrypt and decrypt it, use some standard tools to get the job done!
When sending sensitive material across the globe, be it via email, dropbox or any other file sharing utility you probably want to enrcrypt your data before sending it.
Here is an alternative to do just that; tar the files and encrypt it with OpenSSL!
Encrypting Your File
tar and gzip the file, then encrypt it using des3 and a secret key. Changing #YOUR PASSWORD# to your super strong secret password that no one else knows.
1 |
tar cvzf - sensitive_file.document | openssl des3 -salt -k #YOUR PASSWORD# | dd of=encrypted_sensitive_file |
It is that simple!
When received on the other end its essentially calling the commands in reverse order.
1 |
dd if=encrypted_sensitive_file |openssl des3 -d -k #YOUR PASSWORD# |tar xvzf - |
If we do it in the manner you’ve shown we’ll be exposing our password to anyone who runs a ps -ef on the server! Here’s how to do it securely:
http://abdussamad.com/archives/755-Encrypt-a-File-on-Linux-Using-OpenSSL.html
Correct me if I’m wrong but wouldn’t it require root privileges to see other users processes?
So if one regular user encrypts the file, the other regular user wouldn’t see that process?
I will check once I get access to a computer again.
Not sure about that but there are other problems with including the password in the command. For one it gets cached in plain text in your bash_history file. And it also allows for should surfing. So better to make openssl prompt you for the password.
shoulder surfing*
You could always disable bash_history and smack everyone over their head if they try looking over your shoulder. 🙂
Hello Mikho
Thank you for the guide. I just wonder how you can decrypt the encrypted files because it cannot decrypt for me.
I’ve made this cron on my server, it performs mysql dump and rsyncs into my RPI at home. Summerhosts is the example password.
Here’s the crone in edited version:
cd /home/backupuser/backups
mysqldump db1 > db1.sql
mysqldump db2 > db2.sql
tar cvzf – db1.sql | openssl des3 -salt -k Summerhosts | dd of=db1.sql
tar cvzf – db2.sql | openssl des3 -salt -k Summerhosts | dd of=db1.sql
mv db1.sql /home/backupuser/backups/mv
mv db2.sql /home/backupuser/backups/mv
cd /home/backupuser/backups/mv
/usr/bin/rsync -avzHx –delete –stats –progress –exclude-from ‘/home/backupuser/rsync-exclude.txt’ -e “ssh -2 -p 22” /home/backupuser/backups/mv backupuser@myhomeip:/home/backupuser/backups
rm -f /home/home/backupuser/backups/mv/db1.sql
rm -f /home/home/backupuser/backups/mv/db2.sql
The crone works nicely, it sends the encrypted db to home. On the RPI2, it cannot untar it using your code:
pi@raspberrypi /home/backupuser/backups/mv $ dd if=db1.sql |openssl des3 -d -k Summerhosts |tar xvzf –
0+1 records in
0+1 records out
136 bytes (136 B) copied, 0.000172291 s, 789 kB/s
db1.sql
tar: db1.sql: Cannot open: File exists
tar: Exiting with failure status due to previous errors
pi@raspberrypi /home/backupuser/backups/mv $ dd if=db2.sql |openssl des3 -d -k Summerhosts |tar xvzf –
0+1 records in
0+1 records out
144 bytes (144 B) copied, 0.000157031 s, 917 kB/s
wordpress53brah.sql
tar: wordpress53brah.sql: Cannot open: File exists
tar: Exiting with failure status due to previous errors
Any tips for a linux beginner?
it could be a difference in the tar version, if you are using the GNU version on your server and another version on your Raspberry PI.
What does the output show when you do a “tar –version”? Do it on the server and the raspberry and compare.
If it’s not the GNU version on the raspberry you need to use another command to decompress the file. Read more here: https://kb.iu.edu/d/acfi
The RPI runs on Debian Wheezy http://downloads.raspberrypi.org/raspbian_latest .
pi@raspberrypi ~ $ tar –version
tar (GNU tar) 1.26
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by John Gilmore and Jay Fenlason.
The server’s running serverpilot.io agent and is on ubuntu 14.04.
BmJJJw35sKJQb3534bQWs@server:~$ tar –version
tar: invalid option — ‘▒’
Try ‘tar –help’ or ‘tar –usage’ for more information.
sudouser@server:~$ tar –version
tar (GNU tar) 1.27.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by John Gilmore and Jay Fenlason.
For now, I’ve cut out the encryption part of the cron since it’s just a small WordPress site and a piwik install with tiny data only.
then there shouldn’t be any problem unless there is difference on some other parts between your server and PI.
The error message: “tar: db1.sql: Cannot open: File exists” is a bit troublesome, it could be that the temporary file is trying to be saved to the same name as the original file. Try to specify a temporary filename on your PI.