6.2: File system backup and encryption

One of the most critical aspects of recovering from a ransomware attack is to have periodic file system backups securely stored off machine. That way, when an adversary has obtained access to a machine and has encrypted or destroyed its files, a victim can easily recover any lost files. On Linux, any number of tools can be used to backup files up ranging including cp,, dump/restore, zip, gzip, tar, and rsync.

One of the most critical aspects for limiting the scope of data breaches is to encrypt sensitive data that is not being actively used. This is often referred to as "encryption at rest". That way, when an adversary has obtained access to a machine, they are unable to decrypt files stored on the machine unless they also compromise the decryption key. On Linux, any number of tools can be used to encrypt files including openssl, 7z, and fscrypt.

In this lab, you will practice using common tools for backing up and encrypting files on Linux.

Collections of files are often delivered as a single tape archive file using the tar command. As text files often have low entropy (e.g. have repetitive patterns), compression is often performed on the archive using GNU's zip (gzip) before it is stored or transmitted . The tar command followed by the gzip command (and subsequently in unpacking the gunzip command followed by the tar command) are so often done together that the use of gzip can be specified within the tar command itself.

To begin with, bring up the Kali VM. Then, run a tar command that creates (c) a compressed (z) tar file (f) named /tmp/home.tar.gz of the /home folder, keeping the original permissions and timestamps (p). Note that for security reasons, any leading '/' in files being archived are removed so that someone unpacking the archive doesn't unwittingly overwrite arbitrary files in sensitive directories such as "/etc/passwd".

tar czpf /tmp/home.tar.gz /home

The archive contains all files under the /home directory and can be copied off-machine via scp or rsync after creation. Perform the command below on the archive to view its contents (t).

tar tzpf /tmp/home.tar.gz

Then, change into /tmp and extract (x) the contents of the archive to recover the original contents.

cd /tmp
tar xzpf home.tar.gz

Run the du -sk command on both the original directory, the unpacked directory, and on the archive to obtain the size in kB of each.

du -sk /home /tmp/home /tmp/home.tar.gz

As a percentage, how much did the compression shrink the contents of the directory?

Finally, delete the unpacked directory and the archive.

rm -r /tmp/home /tmp/home.tar.gz

While tar can provide compressed backups of our data, the contents are not encrypted. Typically, if one wants a compressed, encrypted backup, the compression is done before the encryption as encrypted data is statistically random, leaving little room for compression if done first.

We'll look to generate a compressed, encrypted archive using a single command. To do so, rather than specify a file to create, we'll use the - in the shell to specify the results should go to standard output. We can then send this output through a pipe to the standard input of an openssl encryption command (enc -e) to encrypt the archive with AES-256-CBC using PBKDF2 to create a key from the password we enter (-aes256 -pbkdf2). Perform the command below to do so:

tar czpf - /home | openssl enc -e -aes256 -pbkdf2 -out /tmp/home.tar.gz.enc

Then, perform a file operation on the encrypted archive.

file /tmp/home.tar.gz.enc

What does the file utility report as the file type of the encrypted archive?

Perform the reverse operation to decrypt the archive (enc -d -aes256 -pbkdf2) then decompress and unpack it.

cd /tmp
openssl enc -d -aes256 -pbkdf2 -in home.tar.gz.enc | tar xzpf -

Run the du -sk command on the original directory, the decrypted one, and the archive to obtain the size in kB of each.

du -sk /home /tmp/home /tmp/home.tar.gz.enc

Did the compression percentage change?

Finally, delete the decrypted directory and the archive.

rm -r /tmp/home /tmp/home.tar.gz.enc

Another common tool for backing up and encrypting files is zip. Use it to recursively archive (-r) and encrypt (-e) /home using a password.

zip -re /tmp/home.zip /home

zip only encrypts the contents of files and not their names. Performing a "strings" on the archive reveals the file names as does performing a listing via unzip -l.

strings /tmp/home.zip
unzip -l /tmp/home.zip

Unzip the archive in /tmp.

cd /tmp
unzip home.zip

Then, run the du -sk command on both the original directory, the decrypted one, and the archive to obtain the size in kB of each.

du -sk /home /tmp/home /tmp/home.zip

Is the compression better or worse than with tar/gzip?

Finally, delete the decrypted directory and the archive.

rm -r /tmp/home /tmp/home.zip

7z is a more commonly used tool for security researchers to distribute compressed and encrypted file archives. Unlike zip, it encrypts both the names and the contents of files in the archive. Use it to add (a) the /home directory to a password-protected (-p) archive.

7z a -p /tmp/home.7z /home

Run "strings" on the archive to show that it has encrypted the file names as well as their contents.

strings /tmp/home.7z

Extract (x) the archive in /tmp.

cd /tmp
7z x home.7z

Then, run the du -sk command on both the original directory, the decrypted one, and the archive to obtain the size in kB of each.

du -sk /home /tmp/home /tmp/home.7z

Is the compression better or worse than the prior methods?

Finally, delete the decrypted directory and the archive.

rm -r /tmp/home /tmp/home.7z

The previous tools allow one to create a single archive, transfer it to a different machine, and unpack it to create an identical copy of it for safekeeping. When creating live backup copies of files, the rsync command is sometimes used. The command can be used over ssh to securely synchronize a local directory over to a remote location.

On the Kali VM, substituting your OdinID in the command below, perform an rsync to copy over the /home directory over to your Linux account.

rsync -a -e ssh /home <OdinID>@linux.cs.pdx.edu:

Then, ssh into your Linux account and verify the contents have been copied over, then delete the directory.

du -sk ~/home
ls -l ~/home
rm -r ~/home

rsync allows you to exclude certain files from being synchronized. To show this, go back to the Kali VM and repeat the rsync command, but specify the flag below to exclude the guest directory from the command.

--exclude=guest

Back your Linux account and verify the contents have been copied over.

du -sk ~/home
ls -l ~/home

Take a screenshot of the results

Then delete the directory.

rm -r ~/home

Modern Linux file systems have built-in support for file system and folder encryption. There are several tools that can be used to take advantage of this facility. One such tool is fscrypt.

To begin with, bring up the Kali VM and install the tool.

sudo apt update -y
sudo apt install fscrypt -y

Then, use the df command to examine the file systems that are currently mounted on the Kali VM including their types.

df -T

What is the type of the file system mounted on / ?

Initially, support for encryption is disabled on file systems. We can validate this by running a status command:

fscrypt status

Find the main device that is mounted at the root (/) and see that it does not have encryption enabled. Then, run the tune2fs command using sudo to turn on the encryption option for the device.

sudo tune2fs -O encrypt /dev/sd...

Check that the built-in encryption support for the file system has now been enabled.

fscrypt status

To use fscrypt on this file system, we'll first need to run a setup command. Note that for simplicity, we'll use the default settings of fscrypt and apply the configuration globally to all users in this step.

sudo fscrypt setup --all-users

With fscrypt, you start with an empty directory, then enable file system encryption on it. After copying the files into the directory that you want to encrypt, you can then "lock" it to have the file system encrypt its contents, protecting it with the user's account password, a custom passphrase, or a custom key. Then, when you wish to access its contents, you "unlock" it to have the contents decrypted for use.

In your home directory, create a directory then enable encryption on it using a custom passphrase. Then, perform a status command on the directory.

mkdir secrets
fscrypt encrypt secrets
fscrypt status secrets

Verify that the directory is in an unlocked state.

What AES scheme will be used to encrypt the contents of the directory? What AES scheme will be used to encrypt the filenames of the directory?

The status command also points to the policy and the protector identifiers for the directory. You can find them at /.fscrypt. Add a file into the directory.

echo "admin:password123" > secrets/password_vault.txt
ls -l secrets/password_vault.txt

Next, "lock" the directory. This will cause the contents of the directory to be encrypted. Verify that it is no longer unlocked.

fscrypt lock secrets
fscrypt status secrets

Attempt to read the contents of the files in the secrets directory.

cat secrets/*

Take a screenshot of the error that results

Finally, unlock the directory with the password for root and verify that you have regained access to the directory.

fscrypt unlock secrets
cat secrets/*