Modifying tar.gz / tar file to prevent extraction?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Modifying tar.gz / tar file to prevent extraction?
Hello,
im making backups of sensitive data to my VPS, i cant trust owner of the VPS node fully.
So i got an idea on which i need Your comments.
I can zip file with password, but i just discovered zip may not pack files larger 2gb, got some error like
"zip warning: name not matched: /backup/incremental/accounts/yzbuutpo/homedir/public_html/wp-content/themes/twentytwelve/bomba1/dovecot"
so i got idea renaming my backups to something uninteresting and without tar.gz extension.
and another level of protection - can i anyhow edit the archive easilly so non professional dont recognize what file type it is and also make it corrupted for extraction by editting somehow easilly archive content? If anyone point to a guide, im linux amateur? Thank you
PS i assume i can also use openssl to encrypt archive, but i think it would eat alot of resources to encrypt like 15gb file..
there is a simple command, named file which will identify the file. Renaming it will not have any effect, it will not protect you at all. Corrupting the archive may work, but you will need to know how to restore it (and that may cause problems). I would rather suggest you another approach, try to protect your data with a password, create encrypted archive: http://how-to.linuxcareer.com/using-...ages-and-files
The ZIP file format handles files larger than 2Gb just fine (and has done since 2001), as long as you are using a zip application that supports ZIP64. Anything that handles the zip specification 4.5 or higher should be fine. Unfortunately many applications that claim zip support only support version 2.0 of the zip specification.
If you do go with zip, make sure your zip application can do AES encryption (part of the zip file specification since 5.1). The traditional, zip password-based symmetric encryption is flawed and easily broken.
If you do not care about retaining all Linux file meta data (e.g. ownership) you could use 7zip, which can also do AES encryption in addition to compression.
Alternatively you could also use 7zip to create a zip archive, rather than an 7z archive. Using the zip file format, rather than 7z format means you have more extraction options in the future.
7zip's zip support does not include InfoZIP's latest UID/GID support extensions but will store some file meta data (i.e. permissions), whilst taking advantage of ZIP64 features, LZMA compression and AES encryption. If all the files are owned by a single user, this might be good enough for you.
Here is an example of command line to create such an archive:
Code:
7za a -p -tzip -mm=LZMA -mem=AES256 zip_file_name.zip files
- files are not owned by one user. Its a backup of 50+ accounts of hosting clicents. each client directory contains files and folders with like clientname:cleintname
- openssl: good, but i doubt if i encrypt 15gb file would it take long time? IM NOT IDIOT to GZIP daily half million files and then also ENCRYPTING IT by some slow method.
I NEED SUPER FAST CREATING OF ONE FILE OUT OF AROUND HALF MILLION FILES. At same time some kind of protection so no simple stealer can extract any data out of it. Please advice command kindly. Thank you
Anyway you look at it compressing and encrypting that much data will take a while. You can use a super fast compressor like lzop (or drop compression altogether) to gain some speed up.
I take it you are set on a single archive container? If so, I would go with internal compression and encryption, i.e. on a per file basis rather than spanning he entire archive. That way you need only decompresses or decrypt the files as you require them. It is also safer this way as any corruption to the archive is more likely to be recoverable.
I would look at afio or dar. Afio is a tool with 24 years of heritage, Dar is a more modern tool. I prefer Afio personally as its syntax is similar to cpio and allows for arbitary selection of compressor and encryptor. Dar has fairly complex command line options and is limited to the compression and encryption methods that are built in.
P.S. To expand on the safety aspect, compressing files in a one by one basis as they are added to an archive (internal compression) as is the case with zip, 7z, afio or dar is safer for critical backups than external compression (wrapping gzip, bzip2, lzop, etc. around an entire tar archive).
Consider that if a gzipped archive has a single bit corrupted near its start the tar file stored within is effectively lost. This is because common compression algorithms depend on the coherency over a long sections of a file to achieve their results. If the file cannot be decompressed none of the archive's contents can be extracted. Indeed, should you ever need to attempt recovery an important gzipped file, read this to see exactly what is involved.
Last edited by ruario; 05-05-2014 at 11:55 PM.
Reason: Added post script; s/command like/command line/
What about compressing with tar.gz or txz on an ecryptfs directory? You simply mount one folder to another, mounting with ecryptfs, and anything written to that folder will be encrypted.
example:
Code:
mount -t ecryptfs ~/.private ~/user-data
While mounted, anything under user-data will appear normal, while anything under .private will be encrypted. You can then copy the data from .private to your VPS. If you need to decrypt the data, just mount the same (or another) directory with the same passphrase and options used during mount to encrypt it.
Sounds like a plan. I still think a compressed tar is risky for important backups (as explained in my previous post). But the OP could forgo compression or use a format that supports internal compression (afio, dar, xar, etc.). Alternatively they could drop the container archive altogether and just recursively copy the files over, compressing them as needed.
you ought to make incremental backup, there is no need to store the same 15 GB again and again.
+1 to that.
Dar has built in support for differential backup. For afio you would need to construct a find command that only found newer files and you would still have the issue of how best to deal with file deletions.
I need local incremental backup and also to have an backup at external server which canot be read by unauthorized person. How to achieve in one or two commands?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.