Search Members Help

» Welcome Guest
[ Log In :: Register ]

Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic
Pages: (2) </ [1] 2 >/

[ Track this topic :: Email this topic :: Print this topic ]

reply to topic new topic new poll
Topic: Improving security of encrypted backup/restore, Code suggestions< Next Oldest | Next Newest >
WDef Offline





Group: Members
Posts: 798
Joined: Sep. 2005
Posted: Sep. 16 2005,08:47 QUOTE

The backup/restore process is one of dsl's most useful features. Robert's work on dsl is awe inspiring. That said, here are some ideas::

Currently in dsl-1.5 using "protect", the backup/restore script filetool.sh temporarily writes backup.tar.gz to the backup device in plaintext before encrypting and after decrypting. This means an attacker gaining control of the backup device might recover all or part of the unencrypted tarball using appropriate tools.

Also, if an incorrect password is entered twice at the prompts during boot time, decryption fails but the incorrect password nevertheless remains stored in /etc/sysconfig/des. On subsequently backing up, or just rebooting with the default powerdown.sh, the non-restored system gets backed up and encrypted with the incorrect password, replacing the needed backup.des.

I've hacked the scripts slightly to try fixes for these issues. Named pipes are used to communicate between des and tar, thus avoiding writing plaintext temp files to the backup medium, and /etc/sysconfig/des gets deleted if decryption fails.

You can test these, strictly AYOR. For convenience I packaged the altered scripts as an extension - note this must be put on your mydsl drive and autoloaded *during* boot (NOT after).  Download (r click, "save as") here
md5sum is c83ce8296f5812dc78b04cf701e5912c (check it).

These are unofficial experiments, don't use to backup/restore critical data. Behavior differs from that of the standard scripts. Make copies of your backup tarballs beforehand.
Back to top
Profile PM 
mikshaw Offline





Group: Members
Posts: 4856
Joined: July 2004
Posted: Sep. 16 2005,13:28 QUOTE

While I have little interest in the subject at hand, it's nice to see people with the knowledge and desire to hack up DSL.  Please feel free to share more ideas in the future =o)

--------------
http://www.tldp.org/LDP/intro-linux/html/index.html
Back to top
Profile PM WEB 
roberts Offline





Group: Members
Posts: 4983
Joined: Oct. 2003
Posted: Sep. 16 2005,16:42 QUOTE

Thanks for the kind words, WDef. Sometimes it seems like thanks or kind words are few and far between. Sometimes, because I don't post often, not in irc much, many may not even know of my efforts. I do code everything in script, be it bash, lua, or luafltk so that others like yourself can easily read them. I thank you for taking the interest and time to do such and even more so for sharing your thoughts and improvements. Look for your named pipes for enhanced security to be included in the next release.

Robert
Back to top
Profile PM WEB 
RoGuE_StreaK Offline





Group: Members
Posts: 418
Joined: Jan. 2004
Posted: Sep. 17 2005,01:12 QUOTE

Don't worry, we all love you Robert :)

--------------
"I find your lack of penguin disturbing"
                                      - Darth Tux
Back to top
Profile PM WEB 
adssse Offline





Group: Members
Posts: 505
Joined: Mar. 2005
Posted: Sep. 17 2005,04:32 QUOTE

WDef, I am really impressed I had no idea how that all worked, thanks for sharing.

Robert, I think we all have alot of respect for you, we probably just dont express our thanks as much as we should.
Back to top
Profile PM 
6 replies since Sep. 16 2005,08:47 < Next Oldest | Next Newest >

[ Track this topic :: Email this topic :: Print this topic ]

Pages: (2) </ [1] 2 >/
reply to topic new topic new poll
Quick Reply: Improving security of encrypted backup/restore

Do you wish to enable your signature for this post?
Do you wish to enable emoticons for this post?
Track this topic
View All Emoticons
View iB Code