General
cancel
Showing results for 
Search instead for 
Did you mean: 

encrypting tar files saved onto tape

Andrew Kaplan
Super Advisor

encrypting tar files saved onto tape

Hi there --

We typically do tar jobs of entire directories to one of several tape drives. These drives can be DAT, DLT, SDLT, or LTO-4. One example would be the following:

LOCATION: /diskarray/stripe7/usr/home
TAPE DEVICE FILE: /dev/rmt/5mn
COMMAND: tar -cvf * /dev/rmt/5mn

A new directive in our company has made mandatory encryption of all backups. Therefore, once the tar command shown above is completed, the files on tape would need to be encrypted.

We have openssl installed on our system, and the command syntax that would appear to apply here, using the above example would be as follows:

openssl des3 -salt -in /dev/rmt/5mn -out /dev/rmt/5mn.des3

After the above is completed, an encryption password would be entered by the administrator.

Is the above procedure the correct method? Also, is there any inherent danger to the tape or drive if the encryption is attempted on either? Thanks.


A Journey In The Quest Of Knowledge
9 REPLIES
Patrick Wallek
Honored Contributor

Re: encrypting tar files saved onto tape

>>once the tar command shown above is
>>completed, the files on tape would need to
>>be encrypted.

Not possible to encrypt the files AFTER they are on the tape UNLESS you want to then read in from that tape and write OUT to another tape in a different tape drive.

>>openssl des3 -salt -in /dev/rmt/5mn -out /dev/rmt/5mn.des3

Not possible unless you've figured how to read from and write to the same tape drive at the same time.

What you need to do is encrypt the files as they are written to tape.

You would somehow have to feed a list of files to openssl and have the output openssl redirected as the input to tar.

I have never attempted this so I'm not entirely sure how you would go about doing that.
Bill Hassell
Honored Contributor

Re: encrypting tar files saved onto tape

As Patrick said, there is no way to change the data on the tape -- you have to encrypt before the data hits the tape. I would not try to cobble something like this together unless the data is not important. tar is simply not an good business backup tool and has far too many limitations (max filesize, no table of contents, no retry or multi-tape handling, no accidental tape overwrite protection, etc). You need to look at a professional backup program that includes encryption. HP makes DataProtector which will address encryption as well as all the other tar issues.


Bill Hassell, sysadmin
Steven Schweda
Honored Contributor

Re: encrypting tar files saved onto tape

I know nothing, but I gather that openssl can
act as a filter if you omit the -in and -out
options, so you may be able to use something
like:

cd
tar cvf - . | openssl [...] -out /dev/rmt/5mn

Depending on different factors, it might pay
to throw a gzip into that pipeline, too.

You might also be better off using something
smarter than the basic HP "tar" program, too,
like, say, "pax" or GNU "tar". And using "*"
for the file list is unwise for at least a
couple of reasons. (How many files are in
there, and how many have names which begin
with "."?) Something in the "dump/restore"
family might also make more sense than "tar".

> You need to [...]

Almost always an inaccurate way to begin a
statement, but more elaborate backup software
exists (and is sold) for some good reasons.
The best solution in a particular situation
depends on the particular requirements and
constraints.
Andrew Kaplan
Super Advisor

Re: encrypting tar files saved onto tape

Hi there --

Thanks for the reply. We do have Data Protector 6.0 as our primary backup solution. The tar backup is used to provide a secondary backup if the primary is unavailable.

One of the responses to my posting suggested have openssl as the filter where the tar, in this case gnutar instead of HP-UX tar, would encrypt data being backed up "on the fly" to the tape. Would that be an alternative to use, and if so, what would be the correct syntax to use? Thanks.
A Journey In The Quest Of Knowledge
Steven Schweda
Honored Contributor

Re: encrypting tar files saved onto tape

> [...] what would be the correct syntax to
> use?

That might depend a little bit on exactly
what you wish to do. Is there something
wrong with the documentation for any of these
programs?
Andrew Kaplan
Super Advisor

Re: encrypting tar files saved onto tape

Hi there --

What I am trying to accomplish in this exercise is the following:

Conduct at tar backup where the data in question is encrypted when it is written to tape.

According to the responses that were given to my initial inquiry, encrypting the data after it has been written to tape is not possible. Therefore, the encryption would have to take place during the tar process.

My question is the following: If encrypting the data during the tar process is possible, what would be the correct syntax to use? The server in question has the openssl package available, and the tar binary that is being used in this process is gnutar.
A Journey In The Quest Of Knowledge
Steven Schweda
Honored Contributor

Re: encrypting tar files saved onto tape

> [...] what would be the correct syntax to
use? [...]

You've been given a skeleton command, which
may need only a few details to do what you
want. To a casual observer, you appear to be
too busy or lazy or helpless to read the
usage instructions for the programs which you
intend to use.

> [...] in our company [...]

You appear to be employed, but it's not clear
why. I get insufficient satisfaction from
doing other people's jobs for them (for free)
to make a general practice of it. But don't
give up. Some of the contributors here seem
to enjoy the challenge of doing the problems
in students' homework assignments, so you may
get what you seek from one of them.

The fact that your company is relying for its
backups on someone who expects to encrypt
data after they've been written to tape is
more than a little scary.
Andrew Kaplan
Super Advisor

Re: encrypting tar files saved onto tape

If my inquiries on this subject have annoyed anyone in this forum, please accept my apologies. It is not purpose to have a third party do the so-called homework that was assigned to me.

The questions that I ask are for clarification on a project that was undertaken on my own initiative to provide better service to my company.
A Journey In The Quest Of Knowledge