Encrypted files with Flexbackup

Flexbackup is a very nice and flexible tool to create full, incremental and differential backups. But if you store your backups in an untrusted environment you might want do encrypt the created archive files. Flexbackup cannot handle it by default, but there is a very simple way to get the desired results by replacing the default gzip binary with a wrapper file.

In this example I'm using mcrypt with symmetric block cipher DES. Replace it with gnupg if you want asymmetric encryption, but remember: if someone gains root access to read the key he doesn't need to decrypt your backup files - he already has access to the originals.

Create a file named /usr/local/bin/gzip_crypt:

  1. #!/bin/sh
  2. gzip $* | mcrypt -a des --keyfile "$HOME/mcrypt.key"

Another example that uses 256-Bit-AES-Encryption:

  1. #!/bin/sh
  2. gzip $* | <a href="http://ccrypt.sourceforge.net/">ccencrypt</a> --keyfile "$HOME/mcrypt.key"

Make this file executable:

$ chmod 0755 /usr/local/bin/gzip_crypt

Store an encryption key in "$HOME/mcrypt.key", e.g. /root/mcrypt.key. I would suggest to use at least 16 random characters for it, see the manpage of mcrypt for details. Ensure that the key isn't readable for someone else:

$ chmod 0600 "$HOME/mcrypt.key"

Don't - DON'T, DON'T, DON'T - enter the key as command line argument to mcrypt as it would be visible in the process list for every user while mcrypt is running!

Now edit your flexbackup.conf and change the following options to these values:

  1. $compress = 'gzip';
  2. $comp_log = 'bzip2'; # or just 'false', gzip_crypt isn't able to handle this
  3. $path{'gzip'} = '/usr/local/bin/gzip_crypt';

That's it:

$ flexbackup -set home
...lot of stdout stuff here...
$ file home.0.201101141830.tar.gz 
home.0.201101141830.tar.gz: mcrypt 2.5 encrypted data, algorithm: des, keysize: 8 bytes, mode: cbc,

Use 'mdecrypt --key "$HOME/mcrypt.key" home.0.201101141830-decrypted.tar.gz' to decrypt the file.

Comments

Roland,

Many thanks for your blog!

I used your very nice idea and improved upon it for my purposes. First, I chose to use the openssl suite for my encrypt/decrypt utility (well maintained / personal choice). And since flexbackup prefers to use gzip for log compression (and since gzip is pretty much ubiquitously used for Linux log compression), I chose to leave access to gzip unmodified and instead ask for "bzip2" data compression and redirected the path of bzip2 to "/usr/local/sbin/gzip_encrypt" which contains the following:

========================================================
#!/bin/bash
# gzip_encrypt
# Author: Mike Fletcher
# Date: Mon Oct 31 15:55:01 EDT 2011

# Assign variables
# Use Advanced Encryption Standard 256bit in Cipher Block Chaining mode.
ENCALG="aes-256-cbc" # encryption algorithm - AES256 rated US Gov Secret quality
PASS="*******************" # encryption password - keep this secret and don't forget
export PASS

if [ "$*" == "-d" ] # are we decrypting and decompressing?
then
openssl enc -${ENCALG} -d -pass env:PASS | gzip -d
else
gzip $* | openssl enc -${ENCALG} -salt -pass env:PASS
fi

exit
========================================================

Notice I'm really using gzip instead of bzip2. This method works with flexbackup to write AND read back data to/from tape.

*** NOTE: this script should be readable by root only! ***
The encryption key should be where the asterisks are and is in plane view to anyone with read permission.

BTW, the following might help some users selecting "star" as flexbackup's archiver and having a read back from tape error on Linux (I'm using Ubuntu Lucid [10.04]): I encountered a problem with the default setup of $pad_blocks='true' adding a "conv=sync" to dd which caused star to have checksum errors on readback. Changing the $pad_blocks='false' solved my problem.

Cheers,
Mike

You may be able to accomplish this task without modifying flexbackup.

flexbackup -compress compress -d "path{'compress'}='/usr/local/bin/gzip_crypt' ...

where 'compress' is one of the valid compression values (besides 'false' and 'hardware') that isn't going to be used to compress logs. Note: your gzypt_crypt script will not receive the gzip parameter that specifies the compress level.

Or specify that logs should not be compressed and use the default 'gzip' compression value.

flexbackup -d "comp_log='false'" -d "path{'gzip'}=/usr/local/bin/gzip_crypt" ...

Add new comment