Q: How do I encrypt file transfers with dd and netcat?

Posted on March 9, 2007 by jeff

A: This question came to us in response to the article Backup Files and Partitions with dd and netcat.

Encrypting these files transfers is quite simple.

As in the previous article, we will setup the server to listen on port 9999 and redirect output to “backup.file”

server$ nc -l -p 9999 | openssl aes-256-cbc -salt -d > file.backup
enter aes-256-cbc decryption password:

 
Once you’ve entered a password, netcat will sit there waiting for data and automatically terminate once it has received the file.

On the client side, the commands are similar, but rather than telling OpenSSL to decrypt the traffic, we’ll ask it to encrypt. We’ll assume the netcat server is 10.0.0.2.

client$ openssl aes-256-cbc -salt -e < file-to-transfer | nc 10.0.0.2 9999
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

You'll have to chose the same password as you did on the server, if you don't you'll receive errors such as

server$ nc -l -p 9999 | openssl aes-256-cbc -salt -d > file.backup
enter aes-256-cbc decryption password:
bad decrypt
6194:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/usr/src/crypto/dist/openssl/crypto/evp/evp_enc.c:461:

 
As before, you can verify file integrity via checksums.

client$ sha1 file-to-transfer
SHA1 (file-to-transfer) = 6476df3aac780622368173fe6e768a2edc3932c8

server$ sha1 file.backup
SHA1 (file.backup) = 6476df3aac780622368173fe6e768a2edc3932c8

 
"How do I really know it's encrypting the data?" you may ask. You could always sniff the wire, but here is a simple demonstration.

We'll start be removing the decryption commands from the server and see what the result is.

client$ cat file-to-transfer
this is a test

server$ nc -l -p 9999 > file.backup

client$ openssl aes-256-cbc -salt -e < file-to-transfer | nc 10.0.0.2 9999
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

server$ cat file.backup
ëÇQÔ0^¥ôÖ(à0xKÑdÅ

server$ openssl aes-256-cbc -salt -d < file.backup
enter aes-256-cbc decryption password:
this is a test

This entry was posted in Answers, DragonFlyBSD, FreeBSD, NetBSD, OpenBSD, Security, System Administration. Bookmark the permalink.

One Response to Q: How do I encrypt file transfers with dd and netcat?

  1. Halit says:
    December 11, 2011 at 3:32 pm

    Good post bro.Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>