1 This is a set of changes to the Linux "rmt" utility
2 to support transparent encryption.
3 Data is encrypted before it is written to tape, and decrypted when read.
4 We use no padding or salt, so the data size doesn't change.
5 Tools that use rmt for remote tape access (such as dump, restore
6 and tar) can manipulate encrypted data without modification.
8 The symmetric cipher is currently hardwired as Blowfish.
13 - Ensure that openssl-0.9.7a or later is installed.
14 - Configure and build the package, enabling ermt support:
15 ./configure --enable-ermt
17 This will build an extra binary: rmt/ermt, the encrypting version.
18 If ermt fails to link because EVP_CIPHER_CTX_set_padding
19 is undefined, you must upgrade to openssl-0.9.7a or later.
22 - Create a user for remote tape access, which we will call "dump":
24 - ermt reads the secret key from ".ermt.key".
25 Generate a random key in ~dump/.ermt.key:
27 openssl rand -out .ermt.key 32
29 Due to the way "openssl enc -kfile $file" reads the key file,
30 you should ensure that the key contains no \0 or \r or \n characters,
31 which would prematurely truncate the key length.
32 - Protect the key: copy to many floppies, "od -x .ermt.key|lpr", etc.
33 - Set up rsh access from root (or whoever you run dump as)
35 # still running as user dump here
36 echo localhost root > .rhosts
38 Or use ssh if you prefer; details left as an exercise.
39 - Check that it works: run "rsh localhost -l dump date" as root.
40 - Copy the ermt binary you built above to ~dump,
41 and change dump's shell to ~dump/ermt.
43 Backup usage: just dump remotely to localhost:
45 dump -0u -f dump@localhost:/dev/st0 /
46 restore -i -f dump@localhost:/dev/st0
47 # You can use GNU tar too
49 If your device is doing hardware compression, it's best to turn
50 it off, since encrypted data compresses very poorly.
52 Emergency decrypting: if you need to restore a tape and
53 don't have access to a host running ermt,
55 - If you have a copy of the ermt binary, run it with the -d switch
56 to decrypt stdin to stdout:
57 dd if=/dev/st0 bs=10k |
58 (cd ~dump; ./ermt -d) | # assuming ermt is in ~dump
60 - If not, use the OpenSSL "openssl" command, which does the same thing:
61 dd if=/dev/st0 bs=10k |
62 openssl enc -d -kfile ~dump/.ermt.key -blowfish -nosalt -nopad |
64 Versions of OpenSSL before 0.9.7a don't understand -nopad,
67 How much does encryption slow down backups?
68 In my tests, the network hop is the bottleneck:
69 dumping unencrypted (i.e. standard rmt) to localhost is 38%
70 slower than dumping directly to tape.
71 Adding encryption makes no difference, which isn't surprising.
74 2003-04-08: added configure --enable-ermt, separate ermt binary
75 2003-04-06: Initial release
77 -- Ken Lalonde <ken@globalremit.com>