In this short post, I would like to share a technique that will protect your confidential data even if your backup store were to be compromised. We shall leverage the powerful open source Encryption Filesystem. I’ll go through all steps required to install the software, use it, and finally integrate it with your back up strategy. This is a one-time configuration that doesn’t require much maintenance to keep it going and is well worth it in my opinion.
Off-server or off-network backup procedures are essential to any disaster recovery strategy. Current trends, however, show that little effort is directed at securing the backup node(s) and / or strategy. By storing plain text copies of your confidential databases, accounts, emails, and passwords on remote systems you’re exposing yourself to a host of issues. In light of the incident that affected WHT, if a capable intruder were to compromise your backup store (VPS, FTP, NFS, or server), it won’t take long before the intruder gains access to your production system. The consequences are material and the loss of productivity and revenue can break a business.
Installing EncFS
While I’m only covering installation of EncFS on Debian and Redhat derivatives, it’s relatively easy to install it on other Linux distributions. Special instructions are required to install the tools on OpenVZ. See http://wiki.openvz.org/FUSE
ON DEBIAN DISTRIBUTIONS
Let’s install EncFS and libraries. As root inside the shell prompt, execute the following two commands:
| # apt-get install encfs libfuse2 # modprobe fuse |
ON REDHAT DISTRIBUTIONS
First you have to add a yum application repository. Create a file called rpmforge.repo under /etc/yum.repos.d/rpmforge.repo and, with a text editor, copy / paste the following in it (this is for centos 5 / redhat 5. Checkout DAG for other versions):
| # Name: RPMforge RPM Repository for Red Hat Enterprise 5 – dag # URL: http://rpmforge.net/ [rpmforge] name = Red Hat Enterprise $releasever – RPMforge.net – dag #baseurl = http://apt.sw.be/redhat/el5/en/$basearch/dag mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge #mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge enabled = 1 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag gpgcheck = 1 |
Save and exit. Then run the following commands as root:
| # yum install fuse-encfs dkms-fuse # modprobe fuse |
Using EncFS
EncFS is a set of tools that allow the creation of a filesystem that is by default encrypted. The encrypted filesystem can be mounted similarly to a hard drive. With EncFS, however, the encrypted filesystem is protected by a password. And this is where it’s useful. When you transfer your backup files from your production server to an off-server backup store, you’re transferring and storing clear text files and information. So, how do we use these tools to secure our backup store?
In brief, here are the steps we’re setting to accomplish
A) Initialize a folder on the production server as an EncFS volume and mount it
B) Point our backup scripts to the encrypted volume to store the generated backups
C) Seal the encrypted volume
D) Finally, transfer the encrypted files over to the backup store
A) First of all, we need to initialize the backup filesystem. Here’s are the steps:
| # mkdir /encrypted /decrypted # encfs /encrypted/ /decrypted/ Creating new encrypted volume. Please choose from one of the following options: enter “x” for expert configuration mode, enter “p” for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ?> <HIT ENTER> Standard configuration selected. Configuration finished. The filesystem to be created has Now you will need to enter a password for your filesystem. New Encfs Password: <PASSWORD> |
At this point in the steps, we have created an encrypted and a decrypted folder. Plain text backups should always be copied in the /decrypted folder. Once copied, we unmounted the decrypted folder and leave all as is. Make sure you remember the Encfs password as it’s the only way to decrypt your backup files.
As a quick demo, let’s copy a random file in /decrypted to see all of this in action
Let’s pick a random file
| # du -sh /tmp/unixy.zip 2.9M /tmp/unixy.zip |
Mount the encrypted filesystem:
| # encfs /encrypted/ /decrypted/# cp /tmp/unixy.zip /decrypted/
# ls -al /decrypted/ # ls -al /encrypted/ |
B) If you have custom backup scripts, all you have to do in this step is the following
1) Before we modify the backup scripts, we need to store the encryption password in a file under the folder /root. Call it file /root/enc.txt and on the first line type in the password after running the below chmod command.
| # touch /root/enc.txt # chmod 700 /root/enc.txt # The file shouldn’t be readable to anyone other than user root |
Add this command at the top of the backup script:
| # cat /root/enc.txt | encfs -S /encrypted /decrypted |
What this does is “feed” the encryption password to the command “encfs” so it runs unattended. Otherwise, encfs is interactive and might hand waiting for you to enter the password. Remember, we want to set this up and let it run itself.
Add this command at the end of the backup script:
| # fusermount -u /decrypted |
For cPanel users, you can put include the above two steps in script files called /scripts/precpbackup and /scripts/postcpbackup as such:
Inside file /scripts/precpbackup
| #!/bin/bashexport PATH=$PATH:/usr/bin:/usr/sbin:/sbin
cat /root/enc.txt | encfs -S /encrypted /decrypted |
# In file /scripts/postcpbackup
| #!/bin/bashexport PATH=$PATH:/usr/bin:/usr/sbin:/sbin
fusermount -u /decrypted |
Finally, make sure the two scripts are executable:
| # chmod +x /scripts/*cpbackup |
From WHM, in backup configuration, put /decrypted as the backup folder. And we’re done!
C) Let’s unmount the unencrypted filesystem since we’re done copying our files.
| # fusermount -u /decrypted/ # ls -al /decrypted/ total 8 drwxr-xr-x 2 root root 4096 2009-03-26 12:39 . drwxr-xr-x 23 root root 4096 2009-03-26 12:39 .. # ls -al /encrypted/ total 2952 drwxr-xr-x 2 root root 4096 2009-03-26 13:49 . drwxr-xr-x 23 root root 4096 2009-03-26 12:39 .. -rw-r—– 1 root root 224 2009-03-26 12:40 .encfs5 -rw——- 1 root root 3006184 2009-03-26 13:49 HMDEZvfTz7HQnO5tyOsgAiIl # ls -al encrypted/HMDEZvfTz7HQnO5tyOsgAiIl |
Sweet!
D) Transfer the encrypted backup files to the destination backup store
Now your backup files are secure. You can simply SCP or rsync the encrypted files from the encrypted FS /encrypted. Make sure to copy the .encfs5 file located inside the /encrypted directory. Without this file, the encrypted file are NOT recoverable!
Leave a Reply