Have u met any auditor who ask you about security of your backups? For most of system and database administrators it is an annoying question, but still this fact can not be denied that the security of database and system level backups is major responsibility of the administrator who has taken these backups.
Security for our day to day taken system and database level backups can be accomplished in many ways. The first way is off course related to physical security of these backups. For most of the corporate, tape cartridges are still being used as main backup media. These tape cartridges are usually kept under safe and lock fire proof vaults and many organizations even allow access of these tape cartridges by even their own staff employees after certain approvals ( usually on IT manager level ) and they have fully defined procedures and policies for this purpose. Most of organizations also move these cartridges to their DR site and secure this movement with the help of secure transportation service provider companies.
But what if these tape cartridges or other backup media been stolen by some hackers during this movement. There is no doubt, that these backup cartridges contain very useful data and could even lead many financial loses if went into the hands of any criminal minded person. Here comes the role of encryption, which can be added to your backups and therefore protect your organization data against any unethical hacking. Many commercial backup encryption software are now available which can be used on database level; however there is still lack of such software availability for operating system level backups.
In this article, I will cover ways of encrypting (both symmetrical and asymmetrical) operating system level backups on AIX with the help of open source software called Open SSL. I will go through you with the steps with which you can even encrypt your mksysb and other vg and file system level backups.
Types of Encryption
There are two types of encryption methods: symmetric and asymmetric.
1) Symmetric Password Based Encryption - This is the simplest form of encryption. It is a symmetrical encryption method. The same password is used to encrypt and decrypt the data (or the file). This method is useful to encrypt sensitive information for yourself, or for family, or for a few trusted friends or coworkers.
2) Symmetric Secret Key Based Encryption
This is the simplest form of key based encryption. It is a symmetrical encryption method. The same secret key file is used to encrypt and decrypt the data (or the file). This is not a very commonly used technique.
3) Assymetric public/private Key Based Encryption
A public key file is used to encrypt the data. The corresponding private key file is used to decrypt the data. Only you should have access to your private key. You can distribute your public key to anyone who needs to send you data. This is the technique that is most commonly used in corporations
While we use either type of encryption for encrypting data, we have to keep this fact in our mind that asymmetrical encryption is ideal for encryption of small amount of data while symmetrical encryption can be used easily for large amount of data. Hence size of the data to be encrypted plays a vital role in deciding which type of encryption to be used in creating whole solution.
Different Encryption Tools for encrypting backups
There is lots of commercial encryption tools available which can be used for data backup’s encryption. Most of them are integrated with database level backups. For example, many of them encrypt oracle based database backups. However, for encryption of operating system level backups, there are not too much commercial products available.
Most of the corporate which want to encrypt their server’s operating system level backups (especially UNIX based systems) have to rely on open source tools available and then have to develop solution using these tools. OpenSSL and PGP are the two commonly used free tools which are used for this purpose.
While any organization thinks of developing solution for encrypting their day to day backups, they must have to consider two important points.
1. First, that solution should not have performance impact on daily backup operations. It means that encryption of backups should not consume long time as well as it should not be CPU cycles consuming on the server which is executing encryption algorithm.
2. The decryption mechanism should be well tested and documented. This means that when there is a need arises for restoration of data, there should not be any surprises.
Although PGP can be well utilized for developing solution for encrypting backups on AIX with above mentioned requirements, I will concentrate to demonstrate how to develope solution using OpenSSL only in this article.
OpenSSL usage for data & backups encryption
OpenSSL is a library that provides cryptographic functionality to various applications. On major Linux and other BSD Unix variants, OpenSSL is provided under GPL licenses. It also includes a command line utility which can be used for different cryptographic purposes
While using OpenSSL on AIX, you can opt for either using OpenSSL from AIX tool box for Linux (website or CD) or download from Bull website.
I opted for getting it from Bull website and installed its rpm without any problem.
Now the first thing is to get the feeling of how the OpenSSL works.
With OpenSSL encryption of a text file is very simple. You have to be root user and then you have to execute:
/home/root> openssl enc –bf –ofb salt –in sample.txt –out enc.txt
The command will prompt for password before encrypting data present in sample.txt file. This is a typical example of symmetrical encryption.
To decrypt, use the following command
/home/root> openssl enc –d –bf –ofb –salt –in enc.txt –out abc1.txt
Above command will ask for password which was used in encryption before decryption.
Now if you want to encrypt the same data file with asymmetrical encryption, technique will be slightly different. First, you have to generate private key with the following command:
/home/root> openssl genrsa –des3 –out prvkey.pem 4096
Then you have to derive public key from this private key by using following command
/home/root> openssl rsa –in prvkey.pem –pubout –out pubkey.pem
Now to encrypt data present in abc.txt file using this already generated pair of keys, you have to execute
/home/root> openssl rsautl –encrypt –inkey pubkey.pem –pubin –in abc.txt –out encr.txt
And to decrypt,
/home/root> openssl rsautl –decrypt –inkey prvkey.pem –in enc.txt –out abc1.txt
This asymmetrical encryption with help of two keys works well for small inputs of data. However as soon as size of data to be encrypted increases, this technique generally does not work well. Imagine when you have a 30 GB file system and your management wants to take an encrypted backup of this filesystem. Under these circumstances, you can not use this asymmetrical technique of encryption. You however, can combine symmetrical encryption with asymmetrical encryption to design a very good solution for need of encrypting your backups.
For this solution , we will start with creating a small text file called backup_key with some string ( which may include numbers and characters). This string will be our password string. We will encrypt this key file with asymmetrical, two keys based encryption technique:
/home/root> openssl genrsa –des3 –out prvkey.pem 4096
/home/root> openssl rsa –in prvkey.pem –pubout –out pubkey.pem
/home/root> openssl rsautl –encrypt –inkey pubkey.pem –pubin –in backup_key –out backup_keyencr.txt
Now you have an encrypted secret key which has been encrypted with strong asymmetrical encryption technique.
The next step would be using this key to encrypt backed up data (symmetrical encryption).
/home/root> tar –cvf - /home/oradata1! /usr/local/bin/openssl enc –des –cbc –salt –pass file:/home/root/backup_key.txt > /dev/rmt0
And for decrypt this backup data, you have to execute
/home/root> /usr/local/bin/openssl enc –d –des –cbc –salt –pass file:/home/root/backup_key.txt < /dev/rmt0! tar –xvf -
Now this solution can work very easily for any corporate environment. You can send tape cartridge containing encrypted tar backup along with a floppy containing encrypted key (backup_keyencr.txt) to decrypt this encrypted tar backup to your disaster recovery site. However any person at you DR site should already have RSA private key which has been used in encryption of this backup_key file. You, therefore have to send this private key, one time, to the person at DR site so that he can first decrypt backup_key and then use decrypted backup_key to decrypt tar backup. Consequently your backups will be entirely safe during the backup movements from your main site to DR site. Even if your backups go into hand of any criminal persons during this movement, they can not decrypt the key file without private key and hence can not decrypt backup data.
Encrypting your AIX level backups
AIX level operating systems backups like volume group, file system and even mksysb can be encrypted. However , as these backup utilities send backups directly to tape drive or CD devices without buffering so encryption of data being backed up by these utilities has to be done in a different way ( as compared to tar command backups ).
To encrypt volume group level backups, I used tricky solution. I first of all created a special pipe device file which can operate on FIFO basis.
/home/root> mknod /tmp/vgbk p
/home/root> cat /tmp/vgnest ! /usr/local/bin/openssl enc –des –cbc –salt –pass file:/home/bck_key ! /bin/dd of=/dev/rmt0 obs=100b &
/home/root> vgbackup datavg /tmp/vgbk
Similarly you can apply same trick to mksysb backups, which is to create a FIFO special device pipe file and then initiate a process in background which can read this file and then encrypt the incoming data with the help of asymmetrical key. This incoming data is off course fed by mksysb command to pipe device in foreground.
Summary:
Although many techniques can be used to encrypt your AIX level backups, however OpenSSL off course provides a easy and free way of encrypting your operating system level backup. No matter whether you use OpenSSL, PGP or any commercial software to encrypt your backups, always remember to test your restoration scheme and procedure, before time actually comes to do your restoration.
Note: This article was published in AIX Update January 2008 edition.
No comments:
Post a Comment