ba.tar我写了这个脚本,但是由于尚未创建,所以它不起作用。
#! /bin/bash
crontab -l|sed "\$a00 23 * * 5 tar cvf /var/backups/ba.tar /home/$USER"|crontab -
openssl aes-128-cbc -salt -in /var/backups/ba.tar -out /var/backups/ba.tar.aes -k 1416
rm /var/backups/ba.tar
我该如何加密ba.tar?
答案1
OpenSSL 在这方面不太适合,首先,你必须给命令一个密码,以便之后能够解密备份数据。然后可以在日志文件中读取此密码,并且仅在不担心安全的情况下才建议使用,我假设你关心的是将档案安全地打包。所以我的建议是使用 GPG 进行加密。你可以使用以下命令中的类似操作gpg(在较新的 Ubuntu 安装中实际上是 GPG2)或gpg2(需要在较旧的 Ubuntu 安装中先安装;只需将以下命令更改为gpg2)。另请参阅密钥生成:GnuPG 经典版、稳定版、现代版之间的区别?。
为此,您需要首先使用以下命令创建一个 gpg 密钥:
gpg --gen-key
然后系统会提示您输入“真实姓名”(可以是任何姓名)和电子邮件地址(最好使用不带空格的单个姓名;请参见下面的输出内容)。然后系统会询问您提供的信息是否正确,如果正确,则应使用“o”进行确认。
$ gpg --gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-gen-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: Videonauth
Email address: [email protected]
You selected this USER-ID:
"Videonauth <[email protected]>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
此后,系统将通过 GUI 对话框提示您输入密码来保护密钥,您必须输入两次密码以确保其正确无误。您应该记住该密码,因为这是以后解密文件的唯一方法。
输出如下:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 338E09237C58EFA0 marked as ultimately trusted
gpg: revocation certificate stored as '/home/videonauth/.gnupg/openpgp-revocs.d/891E441008DE443C53B44AB2338E09237C58EFA0.rev'
public and secret key created and signed.
pub rsa2048 2017-12-06 [SC]
891E441008DE443C53B44AB2338E09237C58EFA0
uid Videonauth <[email protected]>
sub rsa2048 2017-12-06 [E]
现在,最好将新创建的密钥备份到文件中,并将其存储在 USB 棒上,然后将其放在抽屉等中,以便在需要设置新系统并想要导入密钥时可以访问此密钥。以下命令将创建密钥和重要部分的备份,然后可以在 中找到~/Download。
创建通用撤销证书:
# generate a copy of the revoke certificate # you need the key ID for this which you can find in # the before output. In this example this would be # 891E441008DE443C53B44AB2338E09237C58EFA0 gpg -o ~/Download/key-revocation-cert.asc --gen-revoke 891E441008DE443C53B44AB2338E09237C58EFA0这将为您提供以下对话框,我填写了该对话框以作为示例:
$ gpg -o ~/Download/key-revocation-cert.asc --gen-revoke 891E441008DE443C53B44AB2338E09237C58EFA0 sec rsa2048/338E09237C58EFA0 2017-12-06 Videonauth <[email protected]> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 0 Enter an optional description; end it with an empty line: > Example Reason > Reason for revocation: No reason specified Example Reason Is this okay? (y/N) y ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!创建你的公钥的副本:
# This will create a copy of your public key gpg -o ~/Download/key-public.gpg --export 891E441008DE443C53B44AB2338E09237C58EFA0创建你的私钥的副本:
# This will create a copy of your private key gpg -o ~/Download/key-private.gpg --export-secret-keys 891E441008DE443C53B44AB2338E09237C58EFA0
要将 gpg 与你的公钥一起使用,你需要在你的服务器上导入公钥文件:
gpg --import key-public.gpg
让我们首先创建一个正确的行并测试加密和解密,以确保解密在放入 crontab 或脚本之前能够正常工作。完成上述所有操作后,您现在可以使用以下命令生成直接加密的档案(您需要将用户名更改为您创建密钥时使用的“真实姓名”)。
tar -cv <directory-to-archive> | gpg -e -r Videonauth -o backup.tar.gpg
这将创建一个加密文件,而无需事先创建未加密的文件,要解密它,您需要将文件放在您的机器上,在您的密钥环中有私钥,然后执行以下操作:
gpg -d backup.tar.gpg | tar -xv
系统将提示您输入密钥密码,然后解压硬盘上的 backup.tar.gpg 文件。
当然,如果您愿意,也可以使用它来创建压缩的 tar 档案,只需相应地更改上面几行中的 tar 命令即可。有关进一步阅读,请参阅man gpg和man tar。
您可以将这些命令直接放入您的 crontab 或为它们创建脚本。