Tip #23: Secure Backups Over an Insecure Protocol
Today's tip is closely related to yesterday's tip on context menus, as well as the tips on Encryption and Using Curl for file transfers... What we'll be doing is combining these elements to create an extremely easy-to-use and secure method to backup important files with two clicks via a context menu...
We'll be creating a very simple batch file to perform each of the three steps involved in this process... First we'll encrypt the contents of the file, then transfer the file to an FTP server, and finally delete our local copy of the encrypted file, while leaving the original file intact... After we've created our batch file, then we'll configure Windows Explorer to provide a "Secure Backup" function via a context menu... I'll be assuming that you already have AxCrypt and curl already installed...
The batch file looks like this:
@echo off
set ftp_server=ftp://yourserver.com
set ftp_user=youruserid
set ftp_pass=yourFTPpassword
set ax_key="Top Secret Encryption Passphrase - Keep the Quotes!"
echo Processing %1...
echo Encrypting %1...
"%ProgramFiles%\Axon Data\AxCrypt\1.6.3\AxCrypt" -b 2 -c -e -k %ax_key% -n %1.axx -z %1
echo Transferring %1...
"curl" -T %1.axx -u %ftp_user%:%ftp_pass% %ftp_server%
echo Removing Local %1.axx...
del %1.axx
echo Finished...
Copy the above text into notepad and save it as securetransfer.cmd... For the sake of this demonstration, I'll assume you're placing it in "C:\Windows"...
You will need to modify the "set" variables at the top of the file to reflect your server, FTP user id, FTP password, and a decent passphrase for your encryption... Also if your AxCrypt was not installed to the default location, or curl is not in your PATH, you'll need to modify those lines as well...
Now that you've modified the batch file with your settings, let's put it into action... For detailed instructions on creating a context menu item for all files, please check yesterday's tip as I won't go into detail again in this tip... But, to summarize:
1. Open regedit (Start/Run/regedit)
2. Navigate to HKEY_CLASSES_ROOT/*/shell
(not shellex... If you don't have this key, read this...)
3. Right-click on shell and select New/Key...
(We'll call it securebackup)
4. Single-click on your new key, securebackup, then double-click the (Default) in the right pane... In the Value Data field, enter "Secure Backup"... This is the text that will appear in our context menu...
5. Right-click on securebackup and select New/Key... You must call this one Command...
6. Single-click on Command, then double-click the (Default) in the right pane... In the Value Data field, enter -> C:\Windows\securetransfer.cmd "%1"
Don't forget the quotes around the %1, or filenames with spaces in them will not work correctly...
Now, if you close regedit and open Windows Explorer, you should have a new context menu item , "Secure Backup", for all file types... Right-click on any file to ensure that the menu item is available... If the values in your batch file are correct, as well as the paths to AxCrypt and curl, your files should be encrypted and subsequently transferred to your FTP server when this context menu item is selected... This also works if you select multiple files by Control or Shift clicking items... These files can be downloaded from your FTP server at a later time and decrypted with AxCrypt using the passphrase you supplied in the batch file...
If you have any questions, or any ideas for improvement, please leave a comment... Check back tomorrow for all new tips...
We'll be creating a very simple batch file to perform each of the three steps involved in this process... First we'll encrypt the contents of the file, then transfer the file to an FTP server, and finally delete our local copy of the encrypted file, while leaving the original file intact... After we've created our batch file, then we'll configure Windows Explorer to provide a "Secure Backup" function via a context menu... I'll be assuming that you already have AxCrypt and curl already installed...
The batch file looks like this:
@echo off
set ftp_server=ftp://yourserver.com
set ftp_user=youruserid
set ftp_pass=yourFTPpassword
set ax_key="Top Secret Encryption Passphrase - Keep the Quotes!"
echo Processing %1...
echo Encrypting %1...
"%ProgramFiles%\Axon Data\AxCrypt\1.6.3\AxCrypt" -b 2 -c -e -k %ax_key% -n %1.axx -z %1
echo Transferring %1...
"curl" -T %1.axx -u %ftp_user%:%ftp_pass% %ftp_server%
echo Removing Local %1.axx...
del %1.axx
echo Finished...
Copy the above text into notepad and save it as securetransfer.cmd... For the sake of this demonstration, I'll assume you're placing it in "C:\Windows"...
You will need to modify the "set" variables at the top of the file to reflect your server, FTP user id, FTP password, and a decent passphrase for your encryption... Also if your AxCrypt was not installed to the default location, or curl is not in your PATH, you'll need to modify those lines as well...
Now that you've modified the batch file with your settings, let's put it into action... For detailed instructions on creating a context menu item for all files, please check yesterday's tip as I won't go into detail again in this tip... But, to summarize:
1. Open regedit (Start/Run/regedit)
2. Navigate to HKEY_CLASSES_ROOT/*/shell
(not shellex... If you don't have this key, read this...)
3. Right-click on shell and select New/Key...
(We'll call it securebackup)
4. Single-click on your new key, securebackup, then double-click the (Default) in the right pane... In the Value Data field, enter "Secure Backup"... This is the text that will appear in our context menu...
5. Right-click on securebackup and select New/Key... You must call this one Command...
6. Single-click on Command, then double-click the (Default) in the right pane... In the Value Data field, enter -> C:\Windows\securetransfer.cmd "%1"
Don't forget the quotes around the %1, or filenames with spaces in them will not work correctly...
Now, if you close regedit and open Windows Explorer, you should have a new context menu item , "Secure Backup", for all file types... Right-click on any file to ensure that the menu item is available... If the values in your batch file are correct, as well as the paths to AxCrypt and curl, your files should be encrypted and subsequently transferred to your FTP server when this context menu item is selected... This also works if you select multiple files by Control or Shift clicking items... These files can be downloaded from your FTP server at a later time and decrypted with AxCrypt using the passphrase you supplied in the batch file...
If you have any questions, or any ideas for improvement, please leave a comment... Check back tomorrow for all new tips...
posted by Jameser @ 9:12 PM
2 Comments:
At 7/30/2006 2:38 AM,
Anonymous said…
You may want to address the following two issues:
1. The FTP server and AxCrypt passwords are stored in clear text within the batch file
2. Curl is transmitting the FTP username and password in clear text over the Internet
Please consider PSFTP or WinSCP for making the script more secure.
At 7/31/2006 9:21 PM,
Jameser said…
Hi Miles... Thanks for leaving a comment... Sorry for the dealy in posting it... Regarding your two questions:
Yes, the passwords are stored in clear text... I was assuming that your host machine was pretty secure, as this is where the original unencrypted files reside to begin with... AxCrypt allows you to use key files for encryption, so if you are unsure of the integrity of your host, you could also use key files stored on removable media (thumb drive?)... I also didn't want to make this long-winded tip even longer...
2. Yes, the FTP password is stored in clear text and is also transmitted in the clear... Therefore the whole "insecure protocol" aspect of the article... Once again, if someone is on your box and rooting through batch files for passwords, the files being backed up are already available to that person... If the FTP password is captured during the FTP connection, the files you have uploaded should be sufficiently enrypted...
So, in summary this tip is mainly intended to be directed towards those who only have FTP as an option (free hosting?) for remote storage... Yes, an SSH or SSL protected WebDav connection on a server you control would be the preferred method...
I appreciate your comments, and please reply if I missed something...
Thanks again...
James...
Post a Comment
<< Home