June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
7.25. Encrypting Backups
Problem
You want to create an encrypted backup.
Solution
Method 1 : Pipe through gpg.
To write a tape:
$ tar cf - mydir | gpg -c | dd of=/dev/tape bs=10k
To read a tape:
$ dd if=/dev/tape bs=10k | gpg --decrypt | tar xf -
To write an encrypted backup of directory mydir onto a CD-ROM:
#!/bin/sh mkdir destdir tar cf - mydir | gpg -c > destdir/myfile.tar.gpg mkisofs -R -l destdir | cdrecord speed=${SPEED} dev=${SCSIDEVICE} -where
SPEEDandSCSIDEVICEare specific to your system; see cdrecord(1).
Method 2: Encrypt files separately.
Make a new directory containing links to your original files:
$ cp -lr mydir newdir
In the new directory, encrypt each file, and remove the links to the unencrypted files:
$ find newdir -type f -exec gpg -e '{}' \; -exec rm '{}' \;Back up the new directory with the encrypted data:
$ tar c newdir
Discussion
Method 1 produces a backup that may be considered fragile: one big encrypted file. If part of the backup gets corrupted, you might be unable to decrypt any of it.
Method 2 avoids this problem. The cp -l option creates hard links, which can only be used within a single filesystem. If you want the encrypted files on a separate filesystem, use symbolic links instead:
$ cp -sr /full/path/to/mydir newdir
$ find newdir -type l -exec gpg -e '{}' \; -exec rm '{}' \;Note that a full, absolute pathname must be used for the original directory in this case.
gpg does not preserve the owner, group, permissions, or modification times of the files. To retain ...