Unless otherwise noted, articles © 2005-2008 Doug Spencer, SecurityBulletins.com. Linking to articles is welcomed. Articles on this site are general information and are NOT GUARANTEED to work for your specific needs. I offer paid professional consulting services and will be happy to develop custom solutions for your specific needs. View the consulting page for more information.

Encrypted Backups

From SecurityBulletins.com

Revision as of 10:56, 22 January 2008 by Doug (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Written by Doug Spencer - 11/25/2006

Encrypted backup process flowchart



Lately, we've been hearing a lot of stories in the news about identity theft. According to PrivacyRights.org, over 217,551,182 records containing sensitive personal information have been compromised as of January 22nd, 2008. Often times, it is due to a backup tape that got "lost" in transit. There is really no excuse for a backup tape getting lost to create a security threat: the answer is encryption. This article will show how to use Gnu Privacy Guard (GPG) to create encrypted backups on UNIX or Linux systems. This article will use standard tools for the backups. If you're using another backup system, the concepts are generally still applicable. For a custom solution for your situation, our consulting services are available to help.

Using GPG for your encryption allows you a great deal of flexibility in your implementation. You can have separate keys for the systems or parties involved in the backup and restore process. For instance, a mortgage company stated that their backup tape was lost in transit by a public shipping company on its way to a credit reporting company. In that instance, there could be a public/private key pair for the mortgage company and a public/private key pair for the credit reporting agency. The mortgage company would provide the credit reporting agency with their public key, and the credit reporting agency would provide the mortgage company with their public key. This would allow the data to be signed and encrypted for the other party, verified upon receipt, and safe during transit. If the tape were lost or stolen during transit, the thief would have no more information than if they had a tape filled with garbage bits without the private keys.

You can also encrypt a tape for multiple recipients by specifying multiple recipient keys. This can allow you to have a private recovery key stored away in a vault or other normally inaccessible location that could be used to recover your backups in the event of a disaster. You might encrypt to a public key for "Backup site 1" and "Disaster Recovery Site" for instance.

Encrypting to tape

The basic steps in this process are:

  • Exchange public keys freely.
  • Use the recipient's public key to encrypt the backup stream before writing to tape and sign the backup with the backup source's private key to verify authenticity.

An example command to do the backup is as follows:

tar c secretdocs/ | gpg -se -r "Credit Reporting Agency" > /dev/TAPE_DEVICE # Usually TAPE_DEVICE is rmt0, mt or similar.

With the command shown above, you are asking to sign the data with your private key by specifying the -s option. The need for your private key to sign the data will require you to enter your private key passphrase. If you want to automate the process, you can avoid entering your passphrase by not signing the data. This will use the encryption only to keep the data secret in transit, but not necessarily untampered. You are next specifying that you want to encrypt the data by specifying the 'e' option. Finally, you specify the recipient or recipients. In this case, the data is being encrypted for use by "Credit Reporting Agency."

Another method is to write a tarball to your filesystem, then use a command like the following to encrypt that file and write the *.gpg file to tape. That process would work with most any backup software, just be sure to ONLY write the encrypted *.gpg file to tape.

gpg -e files.tar # Will create files.tar.gpg and leave the files.tar original as well

Restoring an encrypted backup

When the recipient restores the tape you send them, they simply decrypt the files you encrypted and signed using your private key and their public key. The command will be similar to the following:

gpg -d /dev/rmt0 | tar x

Where /dev/rmt0 will be whatever your operating system uses for the tape or backup device. This command will prompt for their passphrase, decrypt the data to STDOUT, and untar the stream.


The public key encryption provided in Gnu Privacy Guard allows a very easy and flexible method for companies and individuals to secure their data. It seems downright negligent that the many companies do not seem to take basic precautions with sensitive data. My hope is that this article will spur the use of encryption to combat the threat posed by transporting personal data via unsecured means.

Personal tools