gpg vs openssl

I want to encrypt backups of users’ directories. I’m a part-time sysop (we are very poor here). I was able to get a convenient encryption with the stream cypher openssl:

 # tar -cf - /dir | openssl enc -e -aes256 -out dirbackup.tgz.openssl
tar: Removing leading `/' from member names
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

I would prefer a block cypher for security, but the gpg tool interacts directly with the OS 12.3x64 key storage system. These can get borked and require a lot of care to maintain - I would rather just remember a very complex passphrase, which is automatically continuous across system crashes/reinstalls - but I cannot get gpg to work outside the shared-key system (i.e., just using a passphrase):

 # tar -cz c /dir | gpg -c -o -aes256 dirbackup.tgz.gpg
tar: Removing leading `/' from member names
gpg: can't open `dirbackup.tgz.gpg': No such file or directory
gpg: symmetric encryption of `dirbackup.tgz.gpg' failed: No such file or directory
 # tar -cz c /dir | gpg -c -o dirbackup.tgz.gpg
tar: Removing leading `/' from member names
gpg: problem with the agent: No pinentry
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of `[stdin]' failed: Operation cancelled

I’ve been googling around for an answer and came across a lot of bug reports on gpg.

Patti

I considered doing something like that (perhaps with gpg). But then I discovered “dar” which has encryption support built-in.

I pretty much concluded that the best way to proceed was to either:

  • use a backup/archive program with builtin crypto support;
  • do backups to an encrypted disk (or encrypted partition).

Either of those looks more straightforward than concocting something with an in-stream encryption.

I currently use “dar” for linux backups, and Acronis for Windows backups. Both support encrypted archives.

If I were to use “clonezilla”, then I think I would need to go with the alternate of an encrypted disk to store the image.

On Fri, 23 May 2014 21:26:01 +0000, nrickert wrote:

> I considered doing something like that (perhaps with gpg). But then I
> discovered “dar” which has encryption support built-in.

I would second the use of dar. I’ve used it myself, and it’s simple and
easy to use, especially with one of the graphical frontends like kdar.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Very cool! Thank you very much for the replies. Do you know of any reviews ranking security? I’m wondering why everything seems to be going to public-key type encryption. That’s really pretty much wasted except for emails, sending files (like making sure a repo file hasn’t been hacked), and stuff like that… Most backups are wayyy too big to be sending anywhere except, maybe, another drive in the datacenter… Most of what I see talked about in crypto these days is online (websites, emails, small files…) but backups aren’t normally like that.

Patti

Cool class:
https://www.coursera.org/course/crypto

You need to understand how public key crypto is used in practice. The actual encryption is done using symmetric encryption with a random key. The random key is then encrypted with public key crypto. So, in practice, there is very little actual encryption with a public key, even when using gpg or X.509 methods. The public key crypto is mostly used for digital signatures and for key management, not for the actual encryption of content.

Public key encryption is used because it simplifies key management.