On Wed, Dec 17, 2014 at 12:14 PM, Xinhuan Zheng <xzheng at christianbook.com> wrote: > Hello CentOS list, > I have a requirement that I need to use encryption technology to encrypt > very large tar file on a daily basis. The tar file is over 250G size and > those are data backup. Every night the server generated a 250G data backup > and it¹s tar¹ed into one tarball file. I want to encrypt this big tarball > file. So far I have tried two technologies with no success. > 1) generating RSA 2048 public/private key pair via ³openssl req -x509 > -nodes -newkey rsa:2048 -keyout private.pem -out public.pem² command and > uses the public key to encrypt the big tar file. The encryption command I > used is "openssl smime -encrypt -aes256 -in backup.tar -binary -outform > DEM -out backup.tar.ssl public.pem². The resulting backup.tar.ssl file is > only 2G then encryption process stops there and refuse to do more. Cannot > get around 2G. > 2) generating GPG public/private key pair via ³gpg ‹gen-key² then encrypt > with "gpg -e -u "backup" -r "backup² backup.tar². However, the gpg > encryption stops at file size 50G and refuse to do more and the gpg > process took over 48 hours. > The server is very capable. It¹s 8 CPU Intel 2.33 GHz 16G RAM installing > latest RHEL 5.11. Thought CentOS 5 is pretty much compatible in release > with RHEL 5. > I have searched google and found out a technique that utilizes the > symmetric encryption. Then it needs to generate a symmetric key every day > and uses public/private key pair to encrypt the symmetric key. However the > drawback is that we don¹t know how to manage the symmetric key securely. > We can¹t leave the un-encrypted symmetric key there on the server but we > have to use the un-encrypted symmetric key for encryption process. Plus > we¹ll need to manage the symmetric encryption key, public and private key > pair 3 things securely. > Has anyone had experience on managing the asymmetric encryption for very > large file and what¹s the best practice for that? > Thanks. > - xinhuan > GPG is really what you want to be using for this. OpenSSL is a general toolkit that provide a lot of good functions, but you need to cobble some things together yourself. GPG is meant to handle all of the other parts of dealing with files. I will expand on what someone else mentioned -- asymmetric encryption is not meant for, and has very poor performance for encrypting data, and also has a lot of limitations. The correct way to handle this is to create a symmetric key and use that to encrypt the data, then use asymmetric encryption to encrypt only the symmetric key. GPG takes care of this all internally, so that's what you should be using. ❧ Brian Mathis @orev