Unable to decrypt WATO backup from command line

jorge.garcia · November 17, 2022, 4:07pm

Hello,

I created a site backup using WATO applying encryption and I’m trying to decrypt this backup later from command line without success. Openssl says:
“rsa_ossl_private_decrypt:data greater than mod len:”

The srting I’m using is:
"openssl rsautl -decrypt -in /tmp/site-backup.tar.gz.enc -out /tmp/site-backup.tar.gz -inkey Check_MK_backup_key-1.pem

Please, What I’m doing wrong?
BR

CFriedrich · January 27, 2023, 9:46am

Hi @jorge.garcia
how did you solve this?

jorge.garcia · February 9, 2023, 3:11pm

Oh, sorry. I forgot to reply, my apologies.

I didn`t, It is not solved

BR

CFriedrich · February 9, 2023, 3:16pm

sanderbohm · July 18, 2023, 7:22am

Hi All, did someone find a solution for this?

mschlenker · July 18, 2023, 7:36am

Internally, when run from the GUI, mkbackup is called:

github.com

Checkmk/checkmk/blob/master/bin/mkbackup#L247


      
              ],
              opts={
                  "background": Opt(description="Fork and execute the program in the background."),
              },
              runner=lambda args, opts, config: mode_backup(args[0], opts=opts, config=config),
          ),
          "restore": Mode(
              description=(
                  "Starts the restore of a backup. In case you want to restore an encrypted backup, "
                  "you have to provide the passphrase of the used backup key via the environment "
                  "variable 'MKBACKUP_PASSPHRASE'. For example: MKBACKUP_PASSPHRASE='secret' mkbackup "
                  "restore ARGS."
              ),
              args=[
                  Arg(
                      id="Target-ID",
                      description="The ID of the backup target to work with",
                  ),
                  Arg(
                      id="Backup-ID",
                      description="The ID of the backup to restore",

CFriedrich · July 18, 2023, 7:46am

Hi @sanderbohm
unfortunately I have not found a solution and was not able to decrypt the backup using the mkbackup script on command line. I find it a pity that there is no corresponding support from checkmk here.

You are welcome to vote for my feature request:

regards
Christian

gstolz · July 18, 2023, 6:48pm

Hi @CFriedrich,

did you test what @mschlenker suggested? I just ran an mkbackup restore from an encrypted backup and it worked.

$ MKBACKUP_PASSPHRASE="very_secret" mkbackup restore my_target_ID Check_MK-deb+cmkdev-dev_2_1-test-complete```

#(tested on 2.1.0p28)

CFriedrich · July 28, 2023, 12:33pm

Hi @gstolz ,
in my case I want to copy an encrypted backup to another server and restore it there. My first attempt looks like follows:

root@host
# omd restore /backup/site-bkp.tar.gz.enc
Failed to open the backup: file could not be opened successfully:
- method gz: ReadError('not a gzip file')
- method bz2: ReadError('not a bzip2 file')
- method xz: ReadError('not an lzma file')
- method tar: ReadError('invalid header')

The Site I want to restore does not exist on my server. If I understand you right, I first have to create the site to which I want to restore my backup. And then as site user use the command:

OMD[bkp]@host
MKBACKUP_PASSPHRASE="very_secret"
mkbackup restore /backup/site-bkp.tar.gz.enc

Should this work? And does mkbackup the same as odm restore?

best regards
Christian

gstolz · July 31, 2023, 8:00am

Hi,

afaik, mkbackup only restores the checkmk part, and omd is a little more, or at least used to be. I.e. pnp4nagios in the raw edition. So I share your understanding, for “mkbackup restore” to work, you first need an existing (albeit almost empty) site where you manually include the encryption key needed to decrypt the backup.

@mschlenker I looked for mkbackup documentation but there is very little so far, did I miss something, or is that on your todo list somewhere :)?

mschlenker · August 12, 2023, 7:01am

The preferred way to restore encrypted backups is to setup an empty site and run restore from the GUI there. Since mkbackup is only used internally and never was intended to be user facing, we will not document this tool.

However, AFAIK dev is working on adding the possibility to restore encrypted backups to omd backup. We will adjust the docs accordingly when this becomes available.

CFriedrich · August 22, 2023, 1:15pm

@mschlenker ,
thank you

Overlord · June 18, 2024, 10:57am

Any news on this? Is there a way to restore encrypted backups from CLI?

system · June 18, 2025, 10:57am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.