I currently backup my FreeBSD servers using tar. Tar works very well for backups but does not have encryption capabilities built into the client. I now have a need to make sure that all my tape backups are encrypted. In comes OpenSSL to handle the encrytion. I use a combination of tar and OpenSSL to do the backup by piping the output of the tar process into OpenSSL and then onto tape.
Backing up the data
The following example shows a command line backup using tar and OpenSSL.
# /usr/bin/tar -cpf - . | /usr/bin/openssl enc -aes-256-cbc -salt -k "TheBackupPassword" | dd obs=10k of=/dev/nsa0
The above command line works great but it does have the problem of containing the password for my backups on the command line. This is not good even if you have to type it in because the password is viewable by enyone on the server using the ps command. The best approach is to put the password in a file that is only readable only by ‘root’ and then tell OpenSSL to read the password from the file.
Here is an example of reading the password from a file. First create a file in /root/.backup/backup.key and put your backup password in that file. Then you can run the following command line:
# /usr/bin/tar -cpf - . | /usr/bin/openssl enc -aes-256-cbc -salt -pass file:/root/.backup/backup.key | dd obs=10k of=/dev/nsa0
Restoring the data
In order to restore data from an encrypted backup you will have to do the processes in reverse using dd, OpenSSL and then tar.
Here is an example of restoring all the files.
# dd ibs=10k if=/dev/nsa0 | /usr/bin/openssl enc -d -aes-256-cbc -salt | /usr/bin/tar -xpvf -
The above command line will prompt for the backup password on the command line. If you do not want that, you can create the password key file (if it’s not already there) and then just list the file on the command line.
# dd ibs=10k if=/dev/nsa0 | /usr/bin/openssl enc -d -aes-256-cbc -salt -pass file:/root/.backup/backup.key | /usr/bin/tar -xvpf -