Tiny Core Linux
Tiny Core Base => TCB Q&A Forum => Topic started by: Xianwen Chen on April 26, 2012, 11:31:28 PM
-
Hi,
I couldn't get encrypted backup to work. Can someone help?
I first added protect to the boot code. Then I use bcrypt to encrypt the mydata.tgz before rebooting. I used the same password after rebooting, but files were not extracted. Any hint please?
-
hi friend,
your password is used with quotes,
that means, if you use the word secret as your password, the protected mode uses "secret",
the password in quotes for the encryption.
i mentioned this subject a couple of times in the forum...
it's so easy to misunderstand the process the backup is encrypted and confuses especially novice users.
http://forum.tinycorelinux.net/index.php/topic,12455.msg67387.html#msg67387
http://forum.tinycorelinux.net/index.php/topic,12351.msg66580.html#msg66580
have fun to encrypt and decrypt your files!
-
It is not the intended use to manually encrypt the backup. It is done automagically by use of the boot code.
-
hi friend,
your password is used with quotes,
that means, if you use the word secret as your password, the protected mode uses "secret",
the password in quotes for the encryption.
i mentioned this subject a couple of times in the forum...
it's so easy to misunderstand the process the backup is encrypted and confuses especially novice users.
http://forum.tinycorelinux.net/index.php/topic,12455.msg67387.html#msg67387
http://forum.tinycorelinux.net/index.php/topic,12351.msg66580.html#msg66580
have fun to encrypt and decrypt your files!
Thanks a lot netnomad.
However, it didn't work.
-
It is not the intended use to manually encrypt the backup. It is done automagically by use of the boot code.
Thanks Robert,
I specified protect in the boot code and a password was input. However, filetool.sh -b wouldn't create an encrypted backup. Is there something I am missing?
-
Upon initial use of "protect" it will not find any backup file via automatic scanning. One must use the "restore" boot option.
If starting new then upon normal shutdown or backup the backup file will be encrypted.
However, if you already have an existing backup, mydata.tgz, then, of course, "protect" will not load it.
Therefore you must manually load it via:
$ sudo tar -C / -zxvf /path/to/mydata.tgz
Then upon shutdown/backup it will be encrypted.
Subsquent booting and shutdown will work as expected and the restore boot option is no longer required.
-
Thanks Robert,
I use boot Core Linux from a USB disk. Here is my menu.lst for GRUB:
default 0
timeout 10
title Core Linux
kernel /tcl/vmlinuz tce=UUID=01503e74-9aae-40cb-96f0-8164b891c652 waitusb=3 restore=UUID=01503e74-9aae-40cb-96f0-8164b891c652 tz=MST7MDT,M3.2.0,M11.1.0 kmap=dvorak/ANSI-dvorak host=foo.bar text cron protect
initrd /tcl/core.gz
boot
I was asked to input password twice after kmaps was loaded. Then, a clean system showed up since I moved mydata.tgz (and since it wouldn't be loaded anyway). I ran filetool.sh -b but the resulted archive is not encrypted. I tried to move option protect right after /vmlinuz but it didn't help. Does it have something to be with the way I specify restore (using UUID)?
-
Try filetool.sh -b sdxy
where xy are what your uuid maps to.
-
Hi Robert,
Thanks. I used filetool.sh -b sdc1 and mydata.tgz was generated. Is there some temporary file which saves encryption configuration I can look into?
-
First using the uuid did not play into the protect backup. What happens is when you have an existing mydata.tgz and you use the protect boot code, it will not find the encrypted backup, mydata.tgz.bfe, as it has not been created yet. Because the system did not find it /etc/sysconfig/backup_device never gets set. That is why filetool.sh -b did not work and required the extra parameter.
-
Thanks Robert,
But filetool.sh -b sdc1 only generated a mydata.tgz, not mydata.tgz.bfe.
-
Not able to reproduce. I use encrypted backup on some of my machines. Check /etc/sysconfig/bfe and showbootcodes before filetool.sh command. filetool.sh has a test for the existence of /etc/sysconfig/bfe in order to perform the encryption.
-
Thanks Robert,
/etc/sysconfig/bfe is missing when protect is specified. Can it be because UUID was specified other than sdxy, start-up script cannot generate /etc/sysconfig/bfe?
-
I think the answer you seek is the comments at the beginning of the filetool.sh
# Added ideas from WDef for invalid device check and removal of bfe password upon failure
The failure to restore caused the removal. Not the use of UUID.
This could be improved. I wil look to do so.
-
Good. UUID or LABEL should be no problem when used with "protect".
After looking at the code and the mod to remove bfe upon failure, I have determined that the failure should not happen when no initial mydata.tgz.bfe exists. The removal was suggested as a security feature. But then it overly complicates when first trying to use "protect". I am adjusting filetool.sh so that initial use will be easier to use.
Thanks for feedback.
-
Thanks Robert,
Do you know why kmap=dvorak/ANSI-dvorak will fail decryption attempt?
-
No. Never tried dvorak. Regular keyboard with my bad vision is enough of a challenge.
-
Robert,
Is there a way to generate a temporary file to store the password input at boot-up? If that is possible, I can track what is actually input when dvorak keyboard is specified and potentially solve the bug.
-
It is stored in /etc/sysconfig/bfe but is currently deleted upon any failure. You would have to mod filetool.sh to catch it.
-
The use of "protect" has now been enhanced to better handle existing data backup files.
Look for it in the next release.
-
Thanks a lot Robert. I had to format my USB disk to EXT4 because I was concerned if I lost it, the data in mydata.tgz would be easily accessed. Now I can formot the USB disk back to FAT32 with mydata.tgz encrypted.
Cheers!
-
what 'security hole' did the feature that is being changed patch?
-
No secrity hole. The existing code was easy to use with no initial backup data.
With backup data it required serveral manual steps that really should not have been be required.
I enhanced the code to not require manual steps and with messages where there was none.
It will be available in 4.5.2
-
b(o_o)d