Commit 2d7e1c58 authored by Guillaume REMBERT's avatar Guillaume REMBERT

Improve archive security with encryption - passphrase as dedicated file

parent e413f1fb
......@@ -118,7 +118,7 @@ EURYBOX_BACKUP_ARCHIVE=(
[HASH]="sha512"
[ENCRYPT]="true"
[ENC_ALGO]="aes-256-ctr"
[PASSWORD]="MyStrongEncryptionPassword"
[PASSFILE]="/secure_folder/passphrasefile"
[FEC]="zfec"
[FEC_FILE_NUM]="10"
#FOR PAR2 ONLY
......@@ -133,7 +133,7 @@ EURYBOX_BACKUP_ARCHIVE=(
#-SSH: ssh client/server configuration done at system level (.ssh local files) + local mount point provided by sshfs. Password authentication capability has been enforced as disabled by command options
#-NFS: nfs client/server configuration + local mount point provided by kernel.
#-ISCSI: TODO - iSCSI target/initiator configuration + local mount point provided by TBD
#-FTP: ftp client/server authentication (user/password - TODO? certs/.netrc/other) + mount provided by curlftpfs.
#-FTP: ftp client/server authentication (user/password [UNSECURE] - TODO? certs/.netrc/other) + mount provided by curlftpfs.
#-PART: local unmounted partition or raw device (as USB device, additional disks, ...) + local mount point provided by kernel. TODO: LUKS encrypted partition provided by kernel and cryptsetup tool
#-LOCAL: local directory
EURYBOX_BACKUP_DESTINATION=(
......
......@@ -19,7 +19,7 @@ eurybox_check_arch ()
esac
if [[ ${ARCH_ENC} = "true" ]]
then
ARCH_OUT=`sudo sh -c "openssl enc -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -d -in ${ARCH_FILE} -k ${EURYBOX_BACKUP_ARCHIVE[PASSWORD]} | tar ${TAR_OPTIONS}" 2>&1`
ARCH_OUT=`sudo sh -c "openssl enc -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -d -in ${ARCH_FILE} -pass file:${EURYBOX_BACKUP_ARCHIVE[PASSFILE]} | tar ${TAR_OPTIONS}" 2>&1`
STATUS=$?
else
ARCH_OUT=`sudo sh -c "tar ${TAR_OPTIONS} -f ${ARCH_FILE}" 2>&1`
......@@ -71,7 +71,7 @@ eurybox_check_command()
#Conf file needs to be sourced before
eurybox_check_configuration ()
{
local -i SCRIPT_TYPE=$1
local SCRIPT_TYPE=$1
#Checking script execution parameters
if [[ -z $EURYBOX_CORPORATE || -z $EURYBOX_LOG_LEVEL ]]
......@@ -124,22 +124,30 @@ eurybox_check_configuration ()
if [[ $SCRIPT_TYPE = "BACKUP" || $SCRIPT_TYPE = "RESTORE" ]]
then
#Checking backup target parameters
if [[ -z $EURYBOX_BACKUP_TYPE || ${#EURYBOX_BACKUP_DESTINATION[@]} -eq 0 || ${#EURYBOX_BACKUP_ARCHIVE[@]} -eq 0 || ${#EURYBOX_BACKUP_TARGETS[@]} -eq 0 ]]
if [[ -z $EURYBOX_BACKUP_TYPE || ${#EURYBOX_BACKUP_DESTINATION[@]} -eq 0 || ${#EURYBOX_BACKUP_ARCHIVE[@]} -eq 0 ]]
then
eurybox_display_message error CHECK "Backup parameters not set: Cold/$EURYBOX_BACKUP_COLD Hot/$EURYBOX_BACKUP_HOT Destination/${EURYBOX_BACKUP_DESTINATION[*]} Archive/${EURYBOX_BACKUP_ARCHIVE[*]} Target/${EURYBOX_BACKUP_TARGETS[*]}"
eurybox_display_message error CHECK "Backup parameters not set:\nType:$EURYBOX_BACKUP_TYPE\nDestination:${EURYBOX_BACKUP_DESTINATION[*]}\nArchive:${EURYBOX_BACKUP_ARCHIVE[*]}\nTargets:${EURYBOX_BACKUP_TARGETS[*]}"
else
eurybox_display_message message CHECK "Backup parameters:"
eurybox_display_message message CHECK "Cold backup enabled: $EURYBOX_BACKUP_COLD"
eurybox_display_message message CHECK "Hot backup enabled: $EURYBOX_BACKUP_HOT"
eurybox_display_message message CHECK "Backup type: $EURYBOX_BACKUP_TYPE"
eurybox_display_message message CHECK "Backup destination: ${EURYBOX_BACKUP_DESTINATION[*]}"
if [[ $EURYBOX_LOG_LEVEL = "debug" ]]
then
#NB: will display the encryption passphrase in the logs if debug mode selected
eurybox_display_message debug CHECK "Archive parameters: ${EURYBOX_BACKUP_ARCHIVE[*]}"
fi
eurybox_display_message message CHECK "Archive parameters: ${EURYBOX_BACKUP_ARCHIVE[*]}"
eurybox_display_message message CHECK "Archive targets: ${EURYBOX_BACKUP_TARGETS[*]}"
fi
fi
if [[ $SCRIPT_TYPE = "UPDATE" ]]
then
#Checking update parameters
if [[ -z $EURYBOX_UPDATE_LOCAL_REPOSITORIES_ACTIVATED || -z $EURYBOX_UPDATE_LOCAL_REPOSITORIES_PATH ]]
then
eurybox_display_message error CHECK "Update parameters not set:\nLocal repositories activated:$EURYBOX_UPDATE_LOCAL_REPOSITORIES_ACTIVATED\nLocal storage path:$EURYBOX_UPDATE_LOCAL_REPOSITORIES_PATH\nTarget repositories:${EURYBOX_UPDATE_LOCAL_REPOSITORIES[*]}"
else
eurybox_display_message message CHECK "Update parameters:"
eurybox_display_message message CHECK "Local repositories enabled: $EURYBOX_UPDATE_LOCAL_REPOSITORIES_ACTIVATED"
eurybox_display_message message CHECK "Local repositories storage path: $EURYBOX_UPDATE_LOCAL_REPOSITORIES_PATH"
eurybox_display_message message CHECK "Target repositories: ${EURYBOX_UPDATE_LOCAL_REPOSITORIES[*]}"
fi
fi
##Make sure pipe individual output exit status are available
##set -o pipefail
#Initialize tools options
......@@ -459,7 +467,7 @@ eurybox_check_environment ()
case ${EURYBOX_BACKUP_ARCHIVE[ENCRYPT]} in
true )
eurybox_check_command openssl
ENC_OUT=`echo "TEST"| openssl enc -salt -e -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -k ${EURYBOX_BACKUP_ARCHIVE[PASSWORD]} -out /dev/null 2>&1`
ENC_OUT=`sudo sh -c "echo TEST | openssl enc -salt -e -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -pass file:${EURYBOX_BACKUP_ARCHIVE[PASSFILE]} -out /dev/null" 2>&1`
STATUS=$?
if [[ !($STATUS -eq 0) ]]
then
......
......@@ -20,7 +20,7 @@ eurybox_create_archive_desc ()
then
DESCRIPTION+="ENCRYPTION_ALGORITHM:${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]}\nARCHIVE_CONTENT:\n"
#FIXME: function to read archive with variable archive format required here
DESCRIPTION+=`sudo sh -c "openssl enc -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -d -in ${EURYBOX_BACKUP_DESTINATION[MOUNT]}/${EURYBOX_BACKUP_ARCHIVE[NAME]}.${EURYBOX_BACKUP_ARCHIVE[FORMAT]} -k ${EURYBOX_BACKUP_ARCHIVE[PASSWORD]} | tar ${TAR_OPTIONS}" 2>&1`
DESCRIPTION+=`sudo sh -c "openssl enc -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -d -in ${EURYBOX_BACKUP_DESTINATION[MOUNT]}/${EURYBOX_BACKUP_ARCHIVE[NAME]}.${EURYBOX_BACKUP_ARCHIVE[FORMAT]} -pass file:${EURYBOX_BACKUP_ARCHIVE[PASSFILE]} | tar ${TAR_OPTIONS}" 2>&1`
STATUS=$?
else
DESCRIPTION+="ARCHIVE_CONTENT:\n"
......@@ -75,7 +75,7 @@ eurybox_create_archive_tar ()
then
TAR_OUT=$((
(
sudo sh -c "tar ${TAR_OPTIONS} ${EURYBOX_BACKUP_TARGETS[*]} | openssl enc -salt -e -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -k ${EURYBOX_BACKUP_ARCHIVE[PASSWORD]} -out ${EURYBOX_BACKUP_DESTINATION[MOUNT]}/${EURYBOX_BACKUP_ARCHIVE[NAME]}.${EURYBOX_BACKUP_ARCHIVE[FORMAT]}"
sudo sh -c "tar ${TAR_OPTIONS} ${EURYBOX_BACKUP_TARGETS[*]} | openssl enc -salt -e -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -pass file:${EURYBOX_BACKUP_ARCHIVE[PASSFILE]} -out ${EURYBOX_BACKUP_DESTINATION[MOUNT]}/${EURYBOX_BACKUP_ARCHIVE[NAME]}.${EURYBOX_BACKUP_ARCHIVE[FORMAT]}"
# STATUS=$(( ${PIPESTATUS[0]} + ${PIPESTATUS[1]} ))
)) 2>&1)
STATUS=$?
......
......@@ -87,7 +87,7 @@ eurybox_restore_file ()
STATUS=1234
if [[ $ARCH_ENC = "true" ]]
then
RESTORE_OUT=`sudo sh -c "openssl enc -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -d -in $ARCH_FILE -k ${EURYBOX_BACKUP_ARCHIVE[PASSWORD]} | tar ${TAR_OPTIONS} $SELECT_FILE" 2>&1`
RESTORE_OUT=`sudo sh -c "openssl enc -${EURYBOX_BACKUP_ARCHIVE[ENC_ALGO]} -d -in $ARCH_FILE -pass file:${EURYBOX_BACKUP_ARCHIVE[PASSFILE]} | tar ${TAR_OPTIONS} $SELECT_FILE" 2>&1`
STATUS=$?
else
RESTORE_OUT=`sudo sh -c "tar ${TAR_OPTIONS} -f $ARCH_FILE $SELECT_FILE" 2>&1`
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment