Servicios

Web hosting
Ver »
Páginas Web
Ver »
Soporte UNIX
Ver »
UNIX TIPS
Ver »

Secure Encrypted Tape Backups with Solaris 10

Mostrar los algoritmos disponibles para encryptar.
# encrypt -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 128
arcfour 8 128
des 64 64
3des 192 192


# mac -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
des_mac 64 64
sha1_hmac 8 512
md5_hmac 8 512

1. Crear una llave de 128 byte para mayor seguridad y utilizarla en el encriptado y desencriptado, como regla dividir Max (bits) / 8 . Apoyarse de urandom para la generacion de la key sea rapida y eficiente. Resguardar en un lugar seguro, permisos de lectura solo del propietario.

# bc
128/8
16

# dd if=/dev/urandom of=$HOME/arcfour16.key bs=16 count=1
1+0 records in
1+0 records out
#

# ls -l arcfour16
-rw-r--r-- 1 root root 16 Mar 13 12:50 arcfour16.key
# chmod 400 arcfour16

# digest -v -a md5 arcfour16.key
md5 (arcfour16) = 90c47c5b0d4d23458c06cecaa97de922
#

Encriptar file usando arcfour.

# encrypt -a arcfour -i tng.tar -k arcfour16.key -o tng.tar.cry

# decrypt -a arcfour -i tng.tar.crypted.arcfour -k arcfour16.key -o tng.tar
# ls -lrt | grep .tar
-rw-r--r-- 1 root root 7192 Mar 13 13:10 tng.tar.crypted.arcfour
-rw-r--r-- 1 root root 7168 Mar 13 13:19 tng.tar

# file tng.tar
tng.tar: USTAR tar archive

# tar tvf tng.tar
tar: blocksize = 14
drwxr-xr-x 207/206 0 Mar 13 12:01 2008 tng/
-r-xr-xr-x 207/206 2253 Mar 13 11:56 2008 tng/dictamen_tng.ksh
-rw-r--r-- 0/0 865 Mar 13 12:01 2008 tng/monitor_tng.ksh
-r-x------ 0/0 90 Mar 13 11:55 2008 tng/tng_log.ksh
#

2. Con la key generada se puede inmediatamente usar para el encryptado de los backups a cinta:

# ufsdump 0f - /var | encrypt -a arcfour \
-k /etc/mykeys/backup.k | dd of=/dev/rmt/0

3. El orde para desencryptar y restaurar la información de la cinta debemos usar la misma key:

# decrypt -a arcfour -k /etc/mykeys/backup.k \
-i /dev/rmt/0 | ufsrestore xvf -

Regresar


Random TIPS

KEEP THE USERS OFF WITH NOLOGIN
There is a way to disable any new login attempts into a system. This can be achieved by simply creating a file called /etc/nologin.
It can have a null file size or a message can be placed into the file informing the status of the system. If a user attempts to login remotely, a message will display with contents of the /etc/nologin file, and then disconnect the user.
However, ftp connections are not affected by this, if ftpd is running.

free counters