0

An embedded device with Linux supports backup/restore of files encrypted with openssl. The idea of backup is: tar -c .... | openssl smime -encrypt -binary -aes-256-cbc -out backupfile.encrypted -outform DER certificate.key and the idea of restore is: openssl smime -decrypt -binary -in backupfile.encrypted -inform DER -inkey private.key -passin file:password.txt | tar -x

Does this idea make sense? Because the good thing is: the backup file is encrypted. The bad thing is: The device contains both, the certificate and the private key. (The file password.txt is provided by temporarily decrypting it from file password.encrypted with a public key.)

Is there another approach of supporting a backup/restore feature on such devices which provides more security?

falkb
  • 101
  • 3
  • Personally I just image my encrypted disk to an external media file. – user10216038 Jul 15 '21 at 23:13
  • @user10216038 The embedded device must create the backup file with limited RAM. There's not enough space to copy an image of the whole flash memory and to compress that to a local file. – falkb Jul 16 '21 at 06:39
  • 1
    You might want to consider creating a public and private key pair offline, then copying just the public key to the device, then using `openssl rsautl` to encrypt the files using the public key. See https://stackoverflow.com/questions/7143514/how-to-encrypt-a-large-file-in-openssl-using-public-key for more info on this. This way the private key (for decrypting the files) is not stored on the device. But having said that, I'm not sure why not having the private key on the device really matters, being that the unencrypted files are on the device anyway. – mti2935 Jul 16 '21 at 16:56
  • @mti2935 Somehow you are right, but with the keys one is able to decrypt every existing backup since it's across devices. – falkb Jul 17 '21 at 18:11

0 Answers0