|
|
|
|
|
|
|
about me about server user land webmail |
|
|
|
twice DIGITAL |
|
|
|
lpfountz |
|
|
|
Netgate Q&A 5354AP1 Aries2 |
The DigitalPimp
Ben Pfountz
|
Encrypted CDRW Backups
|
FreeBSD 4.7-RELEASEpl2 The Digitalpimp Collection Ben Pfountz January 6, 2003 |
I have been doing backups to cdrw for over 2 years now. When it comes to security, a compromised backup disk can be a big threat. An attacker who has stolen a backup disk has your entire server at his fingertips. No intrusion detection methods will find this attacker. The only small piece of security that could prevent the attacker from exploiting your system is the encryption placed on the disks.
The method I have chosen for encrypted backups is as follows. Use tar to generate a tar file of the data you want saved. You can optionaly use the -j option to tar, which will compress the information using the bz2 standard. Then pass the information through bdes to encrypt the tarfile. Finally, use mkisofs to generate an ISO image of the single file, and burn it using burncd.
One should note that while it seems like this could all be done on the fly using pipes, there are catches. I have not found a way to get mkisofs to generate an ISO image from standard input. mkisofs can take a list of files to be backed up from standard in, and therefore leaves standard input in text mode instead of binary mode. I tried to specify /dev/stdin as a single file to be backed up, but mkisofs still placed the standard input in text only mode, causing stdin to close as soon as binary data passes through it. If you are running tar with bz2 compression, then encrypting it using bdes, most likely your cpu is not going to keep up with your burner anyway. You can trust buffer underrun protection and do it anyway, but if you have the drive space, its better on your burner to not have to underrun every 12 secs.
This is the script that runs the backup:
#!/bin/sh
tmpspace="/mnt/data/backups" script_path="/usr/home/bpfountz/projects/digitalpimp" pics1="/usr/home/bpfountz/public_html/pics/cd1"
exec ${script_path}/folder_encrypt ${tmpspace}/pics1.tar.bdes ${pics1}
results=0
while [ ${results} = 0 ]; do
sleep 1
/bin/ps -auxww | /usr/bin/grep "tar -cf" > /dev/null
results=$?
done
${script_path}/folder_burn pics1 pics1.tar.bdes ${tmpspace}/pics1.tar.bdes
This script handles the encryption:
#!/usr/local/bin/ksh # $1 is the filename of the archive # $2 is the folder to be encrypted # $3 is additional flags to tar
echo "Creating $1..." rm $1 2> /dev/null eval "/usr/bin/bdes -k "encryption_key"> $1 |&" #echo "encryption_key" >&p /usr/bin/tar -cf - $3 $2 >&p exec 3>&p;exec 3>&-
This script handles the burning:
#!/usr/local/bin/ksh # # $1 is name of CD # $2 is cd folder name # $3 is local folder name # example: # $2=cd1/ # $3=/usr/home/bpfountz/public_html/pics/cd1
# Blank the CD echo " -> BLANKING CDRW TOC (at most 8X)..." /usr/sbin/burncd -f /dev/acd0c -s 8 -q blank
#echo " -> PAUSING 10 SECONDS..." sleep 10
# Write the new CD (without caching the ISO to the disk, whard) echo " -> CREATING NEW ISO, BUFFERING (4M 50%) AND WRITING (at most 8X)..." /usr/local/bin/mkisofs -graft-points -pad -l -R -V $1 \ $2=$3 | \ /usr/local/bin/buffer -m 4m -p 50 | \ /usr/sbin/burncd -f /dev/acd0c -s 8 -m -q data - fixate echo " -> DONE"