Cloud backup with MCrypt and S3cmd
Making a Hash of It
To alter the hash algorithm, use the -h
parameter as follows:
# mcrypt -h tiger grrrr.doc
The role of the hash algorithm is to create a simple digest, which is added to the encrypted file and used to provide a checksum to detect any file corruption reliably. I've used the hash algorithm and changed it to tiger
, which is one of the options shown in Figure 2:
# mcrypt -h tiger grrrr.doc
If you look closely from within a text editor, you can spot the easy-to-read tiger
on the far right, in among the gobbledygook:
^@m^C@rijndael-128^@ ^@cbc^@mcrypt-sha1^@ 4Y<D8>`tiger^@?<98>a^S<A8>
You can change the algorithm with the -a
switch (all are vulnerable to one attack or another). The following command changes to the famous DES – the Data Encryption Standard – algorithm created by IBM in the 1970s, which helped improve encryption significantly over the years:
# mcrypt -a des mond.sh
The header of the file, as seen in a text viewer, shows what's changed (look for des
):
^@m^C@des^@^H^@cbc^@mcrypt-sha1^@^U<92><92><AF>
Once your files are encrypted, you're ready to upload them into the cloud. If MCrypt doesn't suit your needs then check out the "Bcrypt" box below for an alternative.
Bcrypt
The "b" in bcrypt [2] stands for Blowfish, which is a more network-friendly encryption algorithm developed by Bruce Schneier. I've mostly used bcrypt in SSH clients. Bcrypt can speed up encrypted sessions over poor connectivity because it's so amazingly lightweight. To use bcrypt, drop the package onto a Debian-based box by running this command:
# apt-get install bcrypt
Encrypted files will have the .bfe
file extension. Unlike MCrypt, the efficient bcrypt will compress files automatically before performing the encryption. Additionally, it will remove any source files after it has had its way with them. Adding a -c
tells bcrypt not to compress the files before wrapping them up, and -r
asks it not to delete the original source files. The -o
switch
# bcrypt -o linux_binnie.cfg
outputs the encrypted data directly to your console and your original file willl not be changed at all. The command
# bcrykpt -s100 chris_password.asc
scrubs the original, sensitive file from the disk 100 times after encrypting it.
My favorite add-on to bcrypt is associated with more clandestine operations. You can indulge in a little secrecy by "scrubbing" any deleted files repeatedly to prevent your hard drive from leaving any trace of them. To overwrite your original source files five times with randomized data, specify the -s5
switch. The default option is three overwrites if this flag is not set. Alternatively, if disk I/O is too precious, you can disable overwrites with -s0
.
To the Power of Three
The Python-based S3cmd utility [3] lets you use the behemoth that is Amazon S3 to store your files ultra-reliably. You might be surprised that S3cmd and other utilities let you use Amazon S3 almost as if it were a local filesystem mounted on your desktop.
Although you do need to expose your Amazon Web Services login credentials, there are ways of entering your passphrase only when it is essential. A simple script could help you automate the process somewhat. Alternatively, full automation might use a root-owned, encrypted password file to drop your security token into the main .s3cfg
file so that you can run your backups periodically with a cron job.
You can even use a third-party tool to limit the bandwidth the S3cmd utility uses, which allows you to run a bulky, and therefore lengthy, file transfer as a background process. To use S3cmd, you need an AWS account, which isn't that big a challenge (just give away all your private details, including your credit card, and you are all set).
On Debian or Ubuntu, install the minuscule file as follows:
# apt-get install s3cmd
This command will drop the packages python-support
and s3cmd
onto the system.
In the past, I had a few issues with older versions in the Debian repositories. It's no problem if your desired feature isn't immediately available; simply download the source and follow the instructions in the INSTALL
file.
I was pleased to see that the newer version of S3cmd supports the ability to help out with a --configure
option at installation time. You should be wary of where you expose your account details if you are copying and pasting the two important login and password equivalents from AWS, because they are highly sensitive. Don't try typing them because typing errors are all too common; make sure you can cut and paste them.
Fire It Up
To configure S3cmd, use the --configure
option:
# s3cmd --configure
The output of the command is shown in Listing 1.
Listing 1
S3cmd Configuration
As you can see from Listing 1, S3cmd even asks if you would like to encrypt the files with GPG [4], another excellent and sophisticated encryption tool. Additionally, you will see that I've selected the HTTPS transport method to avoid network sniffing. You can enable encryption with GPG by using the -e
option. However, if you're absolutely adamant that that's not what you want (because you want to use a different encryption method, e.g., the excellent bcrypt), specify --no-encrypt
.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.