One of the most critical aspects of recovering from a ransomware attack is to have periodic file system backups securely stored off machine. That way, when an adversary has obtained access to a machine and has encrypted or destroyed its files, a victim can easily recover any lost files. On Linux, any number of tools can be used to backup files up ranging including cp
,, dump
/restore
, zip, gzip
, tar
, and rsync
.
One of the most critical aspects for limiting the scope of data breaches is to encrypt sensitive data that is not being actively used. This is often referred to as "encryption at rest". That way, when an adversary has obtained access to a machine, they are unable to decrypt files stored on the machine unless they also compromise the decryption key. On Linux, any number of tools can be used to encrypt files including openssl
, 7z
, and fscrypt
.
In this lab, you will practice using common tools for backing up and encrypting files on Linux.
Collections of files are often delivered as a single tape archive file using the tar
command. As text files often have low entropy (e.g. have repetitive patterns), compression is often performed on the archive using GNU's zip (gzip
) before it is stored or transmitted . The tar
command followed by the gzip command
(and subsequently in unpacking the gunzip
command followed by the tar
command) are so often done together that the use of gzip
can be specified within the tar
command itself.
To begin with, bring up the Kali VM. Then, run a tar
command that creates (c
) a compressed (z
) tar file (f
) named /tmp/home.tar.gz
of the /home
folder, keeping the original permissions and timestamps (p
). Note that for security reasons, any leading '/
' in files being archived are removed so that someone unpacking the archive doesn't unwittingly overwrite arbitrary files in sensitive directories such as "/etc/passwd"
.
tar czpf /tmp/home.tar.gz /home
The archive contains all files under the /home
directory and can be copied off-machine via scp
or rsync
after creation. Perform the command below on the archive to view its contents (t
).
tar tzpf /tmp/home.tar.gz
Then, change into /tmp
and extract (x
) the contents of the archive to recover the original contents.
cd /tmp
tar xzpf home.tar.gz
Run the du -sk
command on both the original directory, the unpacked directory, and on the archive to obtain the size in kB of each.
du -sk /home /tmp/home /tmp/home.tar.gz
Finally, delete the unpacked directory and the archive.
rm -r /tmp/home /tmp/home.tar.gz
While tar
can provide compressed backups of our data, the contents are not encrypted. Typically, if one wants a compressed, encrypted backup, the compression is done before the encryption as encrypted data is statistically random, leaving little room for compression if done first.
We'll look to generate a compressed, encrypted archive using a single command. To do so, rather than specify a file to create, we'll use the -
in the shell to specify the results should go to standard output. We can then send this output through a pipe to the standard input of an openssl
encryption command (enc -e
) to encrypt the archive with AES-256-CBC using PBKDF2 to create a key from the password we enter (-aes256 -pbkdf2
). Perform the command below to do so:
tar czpf - /home | openssl enc -e -aes256 -pbkdf2 -out /tmp/home.tar.gz.enc
Then, perform a file
operation on the encrypted archive.
file /tmp/home.tar.gz.enc
file
utility report as the file type of the encrypted archive?Perform the reverse operation to decrypt the archive (enc -d -aes256 -pbkdf2
) then decompress and unpack it.
cd /tmp openssl enc -d -aes256 -pbkdf2 -in home.tar.gz.enc | tar xzpf -
Run the du -sk
command on the original directory, the decrypted one, and the archive to obtain the size in kB of each.
du -sk /home /tmp/home /tmp/home.tar.gz.enc
Finally, delete the decrypted directory and the archive.
rm -r /tmp/home /tmp/home.tar.gz.enc
Another common tool for backing up and encrypting files is zip
. Use it to recursively archive (-r
) and encrypt (-e
) /home
using a password.
zip -re /tmp/home.zip /home
zip
only encrypts the contents of files and not their names. Performing a "strings
" on the archive reveals the file names as does performing a listing via unzip -l
.
strings /tmp/home.zip
unzip -l /tmp/home.zip
Unzip the archive in /tmp
.
cd /tmp
unzip home.zip
Then, run the du -sk
command on both the original directory, the decrypted one, and the archive to obtain the size in kB of each.
du -sk /home /tmp/home /tmp/home.zip
tar/gzip
?Finally, delete the decrypted directory and the archive.
rm -r /tmp/home /tmp/home.zip
7z
is a more commonly used tool for security researchers to distribute compressed and encrypted file archives. Unlike zip
, it encrypts both the names and the contents of files in the archive. Use it to add (a
) the /home
directory to a password-protected (-p
) archive.
7z a -p /tmp/home.7z /home
Run "strings
" on the archive to show that it has encrypted the file names as well as their contents.
strings /tmp/home.7z
Extract (x
) the archive in /tmp
.
cd /tmp
7z x home.7z
Then, run the du -sk
command on both the original directory, the decrypted one, and the archive to obtain the size in kB of each.
du -sk /home /tmp/home /tmp/home.7z
Finally, delete the decrypted directory and the archive.
rm -r /tmp/home /tmp/home.7z
The previous tools allow one to create a single archive, transfer it to a different machine, and unpack it to create an identical copy of it for safekeeping. When creating live backup copies of files, the rsync
command is sometimes used. The command can be used over ssh
to securely synchronize a local directory over to a remote location.
On the Kali VM, substituting your OdinID in the command below, perform an rsync
to copy over the /home
directory over to your Linux account.
rsync -a -e ssh /home <OdinID>@linux.cs.pdx.edu:
Then, ssh
into your Linux account and verify the contents have been copied over, then delete the directory.
du -sk ~/home ls -l ~/home rm -r ~/home
rsync
allows you to exclude certain files from being synchronized. To show this, go back to the Kali VM and repeat the rsync
command, but specify the flag below to exclude the guest
directory from the command.
--exclude=guest
Back your Linux account and verify the contents have been copied over.
du -sk ~/home ls -l ~/home
Then delete the directory.
rm -r ~/home
Modern Linux file systems have built-in support for file system and folder encryption. There are several tools that can be used to take advantage of this facility. One such tool is fscrypt
.
To begin with, bring up the Kali VM and install the tool.
sudo apt update -y sudo apt install fscrypt -y
Then, use the df
command to examine the file systems that are currently mounted on the Kali VM including their types.
df -T
/
?Initially, support for encryption is disabled on file systems. We can validate this by running a status command:
fscrypt status
Find the main device that is mounted at the root (/
) and see that it does not have encryption enabled. Then, run the tune2fs
command using sudo
to turn on the encryption option for the device.
sudo tune2fs -O encrypt /dev/sd...
Check that the built-in encryption support for the file system has now been enabled.
fscrypt status
To use fscrypt
on this file system, we'll first need to run a setup command. Note that for simplicity, we'll use the default settings of fscrypt
and apply the configuration globally to all users in this step.
sudo fscrypt setup --all-users
With fscrypt
, you start with an empty directory, then enable file system encryption on it. After copying the files into the directory that you want to encrypt, you can then "lock" it to have the file system encrypt its contents, protecting it with the user's account password, a custom passphrase, or a custom key. Then, when you wish to access its contents, you "unlock" it to have the contents decrypted for use.
In your home directory, create a directory then enable encryption on it using a custom passphrase. Then, perform a status command on the directory.
mkdir secrets fscrypt encrypt secrets fscrypt status secrets
Verify that the directory is in an unlocked state.
The status command also points to the policy and the protector identifiers for the directory. You can find them at /.fscrypt
. Add a file into the directory.
echo "admin:password123" > secrets/password_vault.txt ls -l secrets/password_vault.txt
Next, "lock" the directory. This will cause the contents of the directory to be encrypted. Verify that it is no longer unlocked.
fscrypt lock secrets fscrypt status secrets
Attempt to read the contents of the files in the secrets directory.
cat secrets/*
Finally, unlock the directory with the password for root
and verify that you have regained access to the directory.
fscrypt unlock secrets cat secrets/*