Encrypting a tar or gz (gzip) File with OpenSSL

When you have sensitive data that you need to transmit but want to make it easy to encrypt and decrypt it, use some standard tools to get the job done!

When sending sensitive material across the globe, be it via email, dropbox or any other file sharing utility you probably want to enrcrypt your data before sending it.

Here is an alternative to do just that;  tar the files and encrypt it with OpenSSL!

 

Encrypting Your File
tar and gzip the file, then encrypt it using des3 and a secret key. Changing #YOUR PASSWORD# to your super strong secret password that no one else knows.

It is that simple!

When received on the other end its essentially calling the commands in reverse order.

 

9 comments for “Encrypting a tar or gz (gzip) File with OpenSSL

  1. abdussamad
    December 29, 2013 at 21:59

    If we do it in the manner you’ve shown we’ll be exposing our password to anyone who runs a ps -ef on the server! Here’s how to do it securely:

    http://abdussamad.com/archives/755-Encrypt-a-File-on-Linux-Using-OpenSSL.html

    • December 30, 2013 at 12:01

      Correct me if I’m wrong but wouldn’t it require root privileges to see other users processes?
      So if one regular user encrypts the file, the other regular user wouldn’t see that process?
      I will check once I get access to a computer again.

      • abdussamad
        January 31, 2014 at 11:36

        Not sure about that but there are other problems with including the password in the command. For one it gets cached in plain text in your bash_history file. And it also allows for should surfing. So better to make openssl prompt you for the password.

        • abdussamad
          January 31, 2014 at 11:37

          shoulder surfing*

        • February 1, 2014 at 00:53

          You could always disable bash_history and smack everyone over their head if they try looking over your shoulder. 🙂

  2. July 18, 2015 at 17:38

    Hello Mikho

    Thank you for the guide. I just wonder how you can decrypt the encrypted files because it cannot decrypt for me.

    I’ve made this cron on my server, it performs mysql dump and rsyncs into my RPI at home. Summerhosts is the example password.

    Here’s the crone in edited version:

    cd /home/backupuser/backups
    mysqldump db1 > db1.sql
    mysqldump db2 > db2.sql
    tar cvzf – db1.sql | openssl des3 -salt -k Summerhosts | dd of=db1.sql
    tar cvzf – db2.sql | openssl des3 -salt -k Summerhosts | dd of=db1.sql
    mv db1.sql /home/backupuser/backups/mv
    mv db2.sql /home/backupuser/backups/mv
    cd /home/backupuser/backups/mv
    /usr/bin/rsync -avzHx –delete –stats –progress –exclude-from ‘/home/backupuser/rsync-exclude.txt’ -e “ssh -2 -p 22” /home/backupuser/backups/mv backupuser@myhomeip:/home/backupuser/backups
    rm -f /home/home/backupuser/backups/mv/db1.sql
    rm -f /home/home/backupuser/backups/mv/db2.sql

    The crone works nicely, it sends the encrypted db to home. On the RPI2, it cannot untar it using your code:

    pi@raspberrypi /home/backupuser/backups/mv $ dd if=db1.sql |openssl des3 -d -k Summerhosts |tar xvzf –
    0+1 records in
    0+1 records out
    136 bytes (136 B) copied, 0.000172291 s, 789 kB/s
    db1.sql
    tar: db1.sql: Cannot open: File exists
    tar: Exiting with failure status due to previous errors

    pi@raspberrypi /home/backupuser/backups/mv $ dd if=db2.sql |openssl des3 -d -k Summerhosts |tar xvzf –
    0+1 records in
    0+1 records out
    144 bytes (144 B) copied, 0.000157031 s, 917 kB/s
    wordpress53brah.sql
    tar: wordpress53brah.sql: Cannot open: File exists
    tar: Exiting with failure status due to previous errors

    Any tips for a linux beginner?

    • July 18, 2015 at 23:38

      it could be a difference in the tar version, if you are using the GNU version on your server and another version on your Raspberry PI.
      What does the output show when you do a “tar –version”? Do it on the server and the raspberry and compare.

      If it’s not the GNU version on the raspberry you need to use another command to decompress the file. Read more here: https://kb.iu.edu/d/acfi

  3. July 19, 2015 at 12:07

    The RPI runs on Debian Wheezy http://downloads.raspberrypi.org/raspbian_latest .

    pi@raspberrypi ~ $ tar –version
    tar (GNU tar) 1.26
    Copyright (C) 2011 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later .
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Written by John Gilmore and Jay Fenlason.

    The server’s running serverpilot.io agent and is on ubuntu 14.04.

    BmJJJw35sKJQb3534bQWs@server:~$ tar –version
    tar: invalid option — ‘▒’
    Try ‘tar –help’ or ‘tar –usage’ for more information.
    sudouser@server:~$ tar –version
    tar (GNU tar) 1.27.1
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later .
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Written by John Gilmore and Jay Fenlason.

    For now, I’ve cut out the encryption part of the cron since it’s just a small WordPress site and a piwik install with tiny data only.

    • July 19, 2015 at 19:01

      then there shouldn’t be any problem unless there is difference on some other parts between your server and PI.
      The error message: “tar: db1.sql: Cannot open: File exists” is a bit troublesome, it could be that the temporary file is trying to be saved to the same name as the original file. Try to specify a temporary filename on your PI.

Leave a Reply

Your email address will not be published. Required fields are marked *