Encrypted ZFS Backups to the Cloud: commits@zfs-backup-to-s3.kenai.com: Archive

Mailing Lists
Downloads
» Downloads
Message Forums
» General Discussion
Source Code Repositories
» Source Code Repository
Wikis
» Wiki

Encrypted ZFS Backups to the Cloud was started in April 2009, is owned by Glenn Brunette, and has 11 members.

» Join This Project

[zfs-backup-to-s3~source:2] v0.3 updated to support direct use of the s3-crypto.ksh v0.4 functionalit

» Back to List Archive

Chronological | Threaded

« Previous Message Next »

« Previous Thread Next »

From: gbrunett@kenai.com
To: commits@zfs-backup-to-s3.kenai.com
Subject: [zfs-backup-to-s3~source:2] v0.3 updated to support direct use of the s3-crypto.ksh v0.4 functionalit
Date: Sun, 14 Jun 2009 15:06:27 +0000

Project:    zfs-backup-to-s3
Repository: source
Revision:   2
Author:     gbrunett
Date:       2009-06-14 15:06:06 UTC
Link:
http://kenai.com/projects/zfs-backup-to-s3/sources/source/revision/2

Log Message:
------------

v0.3 updated to support direct use of the s3-crypto.ksh v0.4 functionality

Modified Paths:
---------------
INSTALL
zfs-backup-to-s3.dfl
zfs-backup-to-s3.sh

Diffs:
------
diff -r 4db9d744c6f4 -r b21fcaf87e72 INSTALL
--- a/INSTALL   Tue Apr 28 16:14:20 2009 -0400
+++ b/INSTALL   Sun Jun 14 11:06:06 2009 -0400
@@ -5,16 +5,12 @@
# DEPENDENCIES
#
===========================================================================

-This software module is just a front-end component and must be used with a
-back-end component that performs the actual operations against the Storage
-Cloud.  To date, this software has been tested against the Amazon Simple
-Storage Service (S3) using the "Another S3 Bash Interface" tool published
-by "nescafe5" at:
+This software module depends on the Cloud Safety Box tool to perform the
+actual compression, encryption, and splitting operations. The Cloud Safety
+Box tool must be properly installed before this tool is used.

-   http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1081
-
-It is expected that this software can be easily adapted to other CLI back-
-end software components, however.
+Note that the Cloud Safety Box tool has additional dependencies. Those
+dependencies must also be satisfied prior to using this tool.

#
===========================================================================
# INSTALLATION
diff -r 4db9d744c6f4 -r b21fcaf87e72 zfs-backup-to-s3.dfl
--- a/zfs-backup-to-s3.dfl      Tue Apr 28 16:14:20 2009 -0400
+++ b/zfs-backup-to-s3.dfl      Sun Jun 14 11:06:06 2009 -0400
@@ -1,8 +1,14 @@
# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.

+# ENC_PROVIDER defines the cryptographic services provider used for
+# encryption operations.  Value values are "solaris" and "openssl".
+ENC_PROVIDER="solaris"
+
# ENC_ALG defines the algorithm that will be used for the encryption
-# operation.  Valid values are those reported by encrypt(1).
+# operation.  Valid values are those reported by encrypt(1) (when
+# using the Solaris provider) and openssl(5) (when the OpenSSL
+# provider is used).
ENC_ALG=aes

# KEY_TYPE defines the type of key that will be used for the encryption
@@ -13,18 +19,31 @@
# operation.  This must be an absolute path to a file that is owned
# and accessibly only by the "zfssnap" role.  The key contained in
# this file must be compatible with the ENC_ALG algorithm selected
-# above.  See encrypt(1) for more information.
+# above.  See encrypt(1) and openssl(5) for more information.
KEY_FILE=/etc/security/zfs-backup-to-s3.enc_key

# KEY_LABEL specifies the label of a symmetric token key stored in
# a PKCS#11 token.
KEY_LABEL=

-# S3_CLI_CMD_NAME defines the name of the program to use as the
-# S3 command line interface.  This parameter is needed to call the
-# back-end program that performs the actual Amazon S3 GET/PUT
-# operations.
-S3_CLI_CMD_NAME=""
+# MAX_FILE_SIZE specifies the maximum file size that can be sent
+# to the Cloud storage provider without first splitting the file
+# up into chunks (of MAX_FILE_SIZE or less).  This value is specified
+# in Kbytes.  If this variable is 0 or not defined, then this service
+# will _not_ attempt to split the file into chunks.
+MAX_FILE_SIZE=40000000
+
+# S3C_CRYPTO_CMD_NAME defines the fully qualified path to the
+# s3-crypto.ksh program which is used to perform compression,
+# encryption, and file splitting operations.
+S3C_CRYPTO_CMD_NAME=""
+
+# S3C_CLI_CMD_NAME defines the fully qualified path to the program
+# used to perform actual upload operations to the Cloud storage
+# provider.  This program is called (indirectly) by the
+# s3-crypto.ksh program defined by the S3C_CRYPTO_CMD_NAME variable
+# above.
+S3C_CLI_CMD_NAME=""

# S3_ACCESS_KEY_ID defines the Amazon Simple Storage Service (S3)
# Access Key to be used for the storage of the encrypted snapshots.
@@ -33,10 +52,11 @@
# S3_SECRET_ACCESS_KEY defines the location of a file containing
# the Amazon S3 secret access key associated with the access key
# defined by S3_ACCESS_KEY_ID.
-S3_SECRET_ACCESS_KEY=/etc/security/zfs-backup-to-s3.s3_key
+S3_SECRET_ACCESS_KEY=""

-# S3_BUCKET defines the location into which the encrypted snapshot
+# S3C_BUCKET defines the location into which the encrypted snapshot
# will be stored on Amaozn S3.  This S3 bucket must already exist
# and be accessible (writable) to the S3_ACCESS_KEY_ID defined
# above.
S3_BUCKET=""
+
diff -r 4db9d744c6f4 -r b21fcaf87e72 zfs-backup-to-s3.sh
--- a/zfs-backup-to-s3.sh       Tue Apr 28 16:14:20 2009 -0400
+++ b/zfs-backup-to-s3.sh       Sun Jun 14 11:06:06 2009 -0400
@@ -21,7 +21,11 @@
export DEFAULTS_FILE

# Encryption algorithm specific parameters.
+ENC_PROVIDER=""
ENC_ALG=""
+
+# Splitting specific parameters.
+MAX_FILE_SIZE=""

# Encryption key specific parameters.
KEY_TYPE=""
@@ -30,7 +34,8 @@
KEY_STRING=""

# Amazon S3 specific parameters.
-S3_CLI_CMD_NAME=""
+S3C_CRYPTO_CMD_NAME=""
+S3C_CLI_CMD_NAME=""
S3_ACCESS_KEY_ID=""
S3_SECRET_ACCESS_KEY=""
S3_BUCKET=""
@@ -85,7 +90,8 @@
# Verify the Amazon S3 Settings.
#
****************************************************************************

-export S3_ACCESS_KEY_ID S3_SECRET_ACCESS_KEY
+export S3C_CLI_CMD_NAME S3_ACCESS_KEY_ID S3_SECRET_ACCESS_KEY
+
found=`find ${S3_SECRET_ACCESS_KEY} -user zfssnap -type f \
    $ -perm 400 -o -perm 600 $ | wc -l`

@@ -94,71 +100,49 @@
    exit 1
fi

-if [ ! -x ${S3_CLI_CMD_NAME} ]; then
-   echo "S3 command path did not point to s3 command: ${S3_CLI_CMD_NAME}"
+if [ ! -x ${S3C_CRYPTO_CMD_NAME} ]; then
+   echo "File is not exectuable: ${S3C_CRYPTO_CMD_NAME}"
    exit 1
else
-   PATH=$PATH:`dirname ${S3_CLI_CMD_NAME}`
+   PATH=$PATH:`dirname ${S3C_CRYPTO_CMD_NAME}`
    export PATH
fi

#
****************************************************************************
-# Create a temporary working space to store the encrypted content.
+# Define the file name that will be used as the base name for the file that
+# is uploaded to the Cloud storage service.  This name will be the same as
+# the ZFS snapshot name except that some characters such as '/', '@', and
+# ':' will be substituted as noted below.
#
****************************************************************************

-tmp_dir=`mktemp -d -t tmp.XXXXXXXXXX`
-if [ -z "${tmp_dir}" ]; then
-   echo "Temporary directory could not be created."
-   exit 1
-fi
-
+remote_file_name=`echo ${LAST_SNAP} |\
+   sed 's|/|~slash~|g'              |\
+   sed 's|@|~at~|g'                 |\
+   sed 's|:|~colon~|g'`
+
#
****************************************************************************
-# Create a temporary file to house the content received from the ZFS auto-
-# snapshot service.  The name of the file containing the encrypted content
-# will be the same as the ZFS snapshot name except that '/' characters will
-# be changed to the string '~slash~' and a '.enc' suffix will be added.
-#
-# NOTE: Sun Cloud does not permit the following characters in the name of
-# files stored: "@" or ":".  As a result, those characters will be changed
-# to "~at~" and "~colon~" respectively.
+# Define the S3 Cryptographic command line options to be used.
#
****************************************************************************

-new_name=`echo ${LAST_SNAP} |\
-   sed 's|/|~slash~|g'      |\
-   sed 's|@|~at~|g'         |\
-   sed 's|:|~colon~|g'`
-
-tmp_file="${tmp_dir}/${new_name}.enc"
+CMP_OPTS="-C"

-#
****************************************************************************
-# Stream the content through an encryption filter and store as a file.
-#
****************************************************************************
+ENC_OPTS="-c -p ${ENC_PROVIDER} -a ${ENC_ALG} ${KEY_STRING}"

-rm -f     ${tmp_file}
-touch     ${tmp_file}
-chmod 600 ${tmp_file}
-
-cat | encrypt -a ${ENC_ALG} ${KEY_STRING} >> ${tmp_file}
-
-chmod 400 ${tmp_file}
-
-#
****************************************************************************
-# Transfer the encrypted ZFS backup to storage.  Only perform the transfer
-# if the size of the encrypted object is greater than 0.
-#
****************************************************************************
-
-if [ -s ${tmp_file} ]; then
-   ${S3_CLI_CMD_NAME} put ${S3_BUCKET} `basename ${tmp_file}` ${tmp_file}
-fi
-
-# ...

[zfs-backup-to-s3~source:2] v0.3 updated to support direct use of the s3-crypto.ksh v0.4 functionalit	gbrunett	06/14/2009

[zfs-backup-to-s3~source:2] v0.3 updated to support direct use of the s3-crypto.ksh v0.4 functionalit

gbrunett

06/14/2009