Encrypt Offsite Backups Using Ccrypt
One application for encryption is shipping off backups to an external site. There are many inexpensive hosting facilities out there that will give you plenty of bandwidth and decent storage. True, there are companies that provide complete solutions; however, the cost for the transfer is much more. Even if you use password protected backups provided by your backup software, or use encryption, it may not provide enough security. Further, the performance degradation from using the backup software encryption might be too much for your backup window. In this article we will show you how to encrypt a file in an automated fashion, so that the file can be shipped off to an external site. The file can then be decrypted using a passphrase. One flaw in this scheme is that the passphrase is in a file. Since the data we are protecting is on the same machine anyway, this isn't a big deal. We simply don't ship off the file that contains the passphrase. Just don't use a passphrase that you use for anything else. You could also use this to encrypt a backup before putting it on tape, just in case the tape gets lost or mis-shipped. We used ccrypt for this, because it is open source, recently maintained, and has the options we wanted for automation. As an example, let's create a passphrase file to hold our passphrase in, encrypt a file, and then decrypt it:
srv-5:~/ccrypt usr4$ echo thisisthepassword > passphrase.txt
srv-5:~/ccrypt usr4$ cat passphrase.txt
thisisthepassword
srv-5:~/ccrypt usr4$ echo you have discovered the secret message > message.txt
srv-5:~/ccrypt usr4$ cat message.txt
you have discovered the secret message
srv-5:~/ccrypt usr4$ ccrypt -k passphrase.txt message.txt
srv-5:~/ccrypt usr4$ ls message*
message.txt.cpt
srv-5:~/ccrypt usr4$ cat message.txt.cpt
q¦?C?w??NB??d9i~U?????YDu?P?p?-BO+HC;Õt??J???(?}?8?O6??9%W
srv-5:~/ccrypt usr4$
srv-5:~/ccrypt usr4$ ccdecrypt -k passphrase.txt message.txt.cpt
srv-5:~/ccrypt usr4$ ls message*
message.txt
srv-5:~/ccrypt usr4$ cat message.txt
you have discovered the secret message
|
Let's encrypt the file, but enter a passphrase at the keyboard instead:
srv-5:~/ccrypt usr4$
srv-5:~/ccrypt usr4$ ls message*
message.txt
srv-5:~/ccrypt usr4$ ccrypt -k passphrase.txt message.txt
srv-5:~/ccrypt usr4$ ls message*
message.txt.cpt
srv-5:~/ccrypt usr4$ ccdecrypt message.txt.cpt
Enter decryption key:
srv-5:~/ccrypt usr4$ ls message*
message.txt
srv-5:~/ccrypt usr4$ cat message.txt
you have discovered the secret message
srv-5:~/ccrypt usr4$
|
As you can see, all of this can be automated without the passphrase showing up in the process list of the machine.
|
|