LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-13-2007, 09:22 AM   #1
NickCoons
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Rep: Reputation: 0
Data Encryption


I've got sort of a complex situation that I need a little direction on.

I'm building a server that will house data on a partition for Samba, accessible to a Windows workstation. This Windows user subscribes to an offsite backup service, whereby a client application is installed on the Windows workstation that periodically syncs the data with the server. I would simply point the client app to the mapped server drive and tell it to keep all of that data backed up.

The information is fairly sensitive, so I want to keep it safe. Ideally, we'd be able to back it up ourselves to an offsite location, but there are no other usable locations for us. So even though we don't particularly want to, a third-party service is all we can come up with.

So here's the plan. I'd like to have this data partition accessible in two ways, perhaps mounted in two directories, as such:

/var/data/normal
/var/data/encrypted

Now if I look at either of these directories, I would see the exact same file list and directory structure. If I accessed a file under /var/data/normal, it would be an unencrypted version of that file that I could access without any problems. If I accessed that same file under /var/data/encrypted, I would be accessing an encrypted version of that file. So, for instance, double-clicking on a JPG file in /var/data/encrypted would not open that file, because it would be delivered to me encrypted. But double-clicking on that same file in /var/data/normal would work just fine.

I would setup two Samba shares, one to point to each directory, such that the person on the Windows workstation would access the data on /var/data/normal, but the backup service's client app would access /var/data/encrypted. That way, all data sitting on the backup service would be encrypted and inaccessible to anyone that, say, works for the backup service company.

I've thought of setting up a cronjob to copy /var/data/normal to /var/data/encrypted, encrypting each file on the way, but that would mean that I'd have to have no less than twice as much hard drive space as the total amount of data I had.

I'm looking for someone that might know how to accomplish this, or perhaps suggestions on other ways to accomplish the same end goal. Thanks!
 
Old 11-13-2007, 11:18 AM   #2
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
I currently have a similar situation where I back up to an off-site location and need to have it encrypted.

Do you have FULL access to the computer at this off-site backup place? If so, use something like TrueCrypt and you create the TrueCrypt encryption drive yourself where only you have the key and/or password. Then you use SSH to transfer your files over to that computer. Traffic will be encrypted as well as the contents on the drive. If someone tries to steal or snoop on that computer, they won't be able to access it. This way you won't need to create duplicates files. Just one simple local directory that is not encrypted.

Last edited by Micro420; 11-13-2007 at 11:20 AM.
 
Old 11-13-2007, 11:25 AM   #3
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,672

Rep: Reputation: 239Reputation: 239Reputation: 239
I'm unaware of any software that would do what you want. Probably the most straightforward way of dealing with the problem is to create a cron job that backs up an encrypted version of the share to another partition and backup that version to the off site location. You don't have to individually encrypt each file on the share. Just create a tar archive of the entire share and then encrypt the archive with mcrypt or a similar utility:

# tar -c <share mount point> | mcrypt -k password > backup_file
 
Old 11-13-2007, 12:14 PM   #4
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
Although tar will work, a better utility is dump as it can keep track of what files have been backed up. For example, you can do a full level 0 the first Friday of the month, a level 3 the other Fridays, and a level 5 the rest of the days. This will require the backup point to be the mount point of the partition.

<First Friday of month>
dump -0 -f - /var/data/normal | mcrypt -k passwd > /var/data/encrypted/backup_file_[month]_0

<Friday 2 through 5 >
dump -3 -f - /var/data/normal| mcrypt -k passwd > /var/data/encrypted/backup_file_[month]_[day]_3

<The rest of the days of the month (i.e. not Friday)>
dump -5 -f - /var/data/normal| mcrypt -k passwd > /var/data/encrypted/backup_file_[month]_[day]_5

The following script should work for you. I've tried to modify my backup script to use mcrypt but I'm getting a buffer overflow in the mcrypt library, so I can't test it for you.

Code:
#!/bin/sh

DAY=`date +%a`
MONTH=`date +%m`
DOM=`date +%d`

if [ "$DAY" = "Fri" ] ; then
        # Is it the first Friday of the month
        if [ $DOM -lt 8 ] ; then

            # First Friday of the Month
            /sbin/dump -0 -f - /var/data/normal| mcrypt -z -k passwd > /var/data/encrypted/backup_file_$MONTH-$DOM-0

        else

            # Not First Friday of the Month
            /sbin/dump -3 -f - /var/data/normal| mcrypt -z -k passwd > /var/data/encrypted/backup_file_$MONTH-$DOM-3

        fi

else

    # Not Friday
    /sbin/dump -5 -f - /var/data/normal| mcrypt -z -k passwd > /var/data/encrypted/backup_file_$MONTH-$DOM-5

fi
HTH

Forrest

Last edited by forrestt; 11-14-2007 at 10:49 AM.
 
Old 11-13-2007, 11:29 PM   #5
NickCoons
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Micro420 View Post
Do you have FULL access to the computer at this off-site backup place?
No, otherwise I wouldn't have a problem :-). The off-site backup server will be one of the popular third-party backup providers that one pays a monthly fee to. From what I've seen, the only access to backup data to their systems is to use their proprietary backup Windows-only client, which means that I'd need to encrypt the data myself before it's accessed by this client.
 
Old 11-13-2007, 11:32 PM   #6
NickCoons
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by kilgoretrout View Post
I'm unaware of any software that would do what you want. Probably the most straightforward way of dealing with the problem is to create a cron job that backs up an encrypted version of the share to another partition and backup that version to the off site location.
I've thought of that possibility, but as I mentioned in my original post, doing so would cause me to have to have at least twice as much hard drive space as I have data to keep both an encrypted and an unencrypted copy of the data.

Quote:
Originally Posted by kilgoretrout View Post
You don't have to individually encrypt each file on the share.
Actually, I would have to. The software that does the backup only backs up changed files. If I have 100GB of data, it might only backup one or two GB each day as that data changes. If I make a tar file and try to back it up, I'll need to somehow send 100GB of data offsite everyday.
 
Old 11-13-2007, 11:34 PM   #7
NickCoons
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by forrestt View Post
Although tar will work, a better utility is dump as it can keep track of what files have been backed up.
If I'm not mistaken, your suggestion requires that I have access to the backup location as a mount point. I won't have that access made available to me.
 
Old 11-14-2007, 02:35 AM   #8
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
What provider is this? I know if you use a 3rd party like Mozy, they actually want you to encrypt the contents on their server. You can use a public/private key to encrypt your data.
 
Old 11-14-2007, 09:58 AM   #9
NickCoons
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Micro420 View Post
What provider is this? I know if you use a 3rd party like Mozy, they actually want you to encrypt the contents on their server.
Yes, it would be someone like that. This is for a client of mine, so they're choosing the provider. If I found one that I liked because it would be compatible with my goals, I could attempt to influence them, but it's ultimately not my decision.

Quote:
Originally Posted by Micro420 View Post
You can use a public/private key to encrypt your data.
Right, I know how to encrypt data. What I don't know how to do is encrypt it on-the-fly as it's being accessed as I described in my first post. If I have to keep an encrypted copy of it on the hard drive, it means it'll cost me twice as much hard drive space to hold the original and the encrypted copies. It may come to that, but I'm hoping it doesn't.
 
Old 11-14-2007, 10:46 AM   #10
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
Quote:
If I'm not mistaken, your suggestion requires that I have access to the backup location as a mount point. I won't have that access made available to me.
No, I was suggesting you have two partitions and back up the data from your "normal" partition to your "encrypted" partition. Both of the partitions would be shared just as you suggested and the encrypted share would be sent be backed up. The only files on the encrypted share that would change on a daily basis were the backup files and therefore they would be the only ones to be uploaded to your third party backup provider.

I'll modify my above script to make things more clear.

HTH

Forrest

Last edited by forrestt; 11-14-2007 at 10:47 AM.
 
Old 11-14-2007, 10:58 AM   #11
NickCoons
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by forrestt View Post
No, I was suggesting you have two partitions and back up the data from your "normal" partition to your "encrypted" partition.
Okay. That was a possibility I had come up with before. But as I previously mentioned, that will cost me twice as much hard drive space to keep a copy of the unencrypted and encrypted data. I'd prefer to find a way to avoid doing that, and encrypt the data on-the-fly as it's being accessed, depending on which share it's been accessed from.
 
Old 11-14-2007, 11:07 AM   #12
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
Ok, I must have missed that point in your original post. So, let me make sure I am following you now. You want the data to be unencrypted on your disk, and then have a share that sees the files as unencrypted, and another share that sees the same exact files as encrypted. So it is just the network traffic that you are encrypting, not the actual files (i.e. if you are logged into the system and look at the files, none of them will be encrypted).

Am I following you now?
 
Old 11-14-2007, 11:17 PM   #13
NickCoons
LQ Newbie
 
Registered: Aug 2005
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by forrestt View Post
Ok, I must have missed that point in your original post. So, let me make sure I am following you now. You want the data to be unencrypted on your disk, and then have a share that sees the files as unencrypted, and another share that sees the same exact files as encrypted. So it is just the network traffic that you are encrypting, not the actual files (i.e. if you are logged into the system and look at the files, none of them will be encrypted).

Am I following you now?
Yes, that's exactly what I'm shooting for. In this way, when a program (like the backup service's backup client on the Windows desktop) accesses the data on the encrypted share, it ends up with files that to it are encrypted and mean nothing. So when these files end up on the backup service's server, they're encrypted. And doing it this way will mean that I won't have to keep two copies (encrypted and unencrypted) of each file.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: TrueCrypt Tutorial: Truly Portable Data Encryption LXer Syndicated Linux News 0 07-04-2007 05:01 PM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 07:46 AM
LXer: TrueCrypt HOWTO — Truly Portable Data Encryption LXer Syndicated Linux News 0 05-26-2007 02:46 AM
Anonymous proxy with data encryption? LinuxSeeker Linux - Security 2 08-20-2005 10:21 PM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 09:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration