Last Updated: August 20, 2018
· pentago

OpenSSL Encrypted Tar Backups for UNIX-like's

This method uses the static file with password to encrypt the tar archives.
It's really convenient for cron-scheduled backups.

If you want to enter password each time ommit steps 1-3 and each -pass switch/value to openssl.

  • Generate long (e.g 40 characters) random password in ~/.pass :

head -c 100 /dev/urandom | strings -n1 | tr -d '[:space:]' | head -c 40 >> ~/.pass

  • Export custom PASS variable in your shell rc file to point to our password file and source it:

echo "export PASS=~/.pass" >> ~/.zshrc && source ~/.zshrc

  • Protect it from prying eyes:

chmod 400 ~/.pass

  • Compress and encrypt archive with defined password:

tar czf - /some-dir-or-file | openssl enc -e -aes-256-cbc -out archive.enc -pass env:PASS

  • To decrypt the archive issue the following:

openssl enc -d -aes-256-cbc -in archive.enc -pass env:PASS | tar zxf -


3 Responses
Add your response


Using 'env:PASS" as the password makes it use the variable itself: "~/.pass" as the password. This is obviously very bad. I would suggest taking this posting down and refraining from giving further advice.

Also, first command won't always result in 40 characters, and if you're really unlucky, could result in none. Suggest replacing 'head -c 100' with 'cat'.

over 1 year ago ·

@marcisreid RTFM before you complain.... it works correctly env: casuses openssl to use env

you can test it by using 2 different variables (if you still insist on not typing man openssl) with same content, like that:

date > date;export PASS1=pwd ; export PASS2=pwd ;cat date| openssl enc -e -aes-256-cbc -out archive.enc -pass env:PASS1 ;openssl enc -d -aes-256-cbc -in archive.enc -pass env:PASS2

over 1 year ago ·

As this was still one of the first google hits i just want to say that marcusreid is right! Setting the variable to "~/.pass" results in "~/.pass" as the encryption password. If you want to use a file, simply use "-pass file:/path/to/file"

over 1 year ago ·