Encrypted ufsrestore script

Solaris 10 comes with four encryption algorithms built in: AES, arcfour, DES and 3DES. To create a basic AES encryption key for use with this script (and the related backup.enc script) use:

# mkdir /etc/keys
# dd if=/dev/random of=/etc/keys/backup_aes.key bs=16 count=1

See the Solaris man pages for cryptoadm, encrypt, decrypt, dd and random and the Solaris 10 System Administration Guide: Security Services for much more detailed information.

#!/usr/bin/ksh
#
# Encrypted restores with ufsrestore
# Takes backup tapes made with backup.enc so the order in which the
# filesystems are backed up with backup.enc is critical and must be REPEATED 
# in this script.
# Can be used to perform a full restore of a filesystem or an interactive
# restore of selected files/directories. 
# 

#
# Global Settings
#
HOST_LIST="jupiter"
DIR_LIST="/ /var /export/home /data1"
MAILLIST=admins@example.co.uk
LOGDIR=/var/tmp/enc/backup_logs
LOGFILE=enc_backup.log.$$
KEY=/etc/keys/backup_aes.key
TAPE_DRV=/dev/rmt/0n
TAPE_SRV=jupiter
full=false
inter=false

function usage
{
cat << EOF 
Usage: $0 : -a root|var|home|data1 [-k /path/to/key] -f | -i

Note: 

You must specify the archive to restore
-f and -i are mutually exclusive
-k default key is /etc/keys/backup_aes.key

EOF
exit 3
}

echo "Encrypted Restore Script"
echo ""
echo "Restore on"
date
echo ""

while getopts a:k:fih r
do
   case $r in
      a) dir=$OPTARG;;
      k) KEY=$OPTARG;;
      f) full=TRUE
         resopts=xvf;;
      i) inter=TRUE
         resopts=ivf;;
      h) usage;;
      *) usage;;
   esac
done

if [ $full = "TRUE" -a $inter = "TRUE" ]
then
    echo "-i and -f options are mutually exclusive"
    usage
fi

echo "checking tape"
mt -f $TAPE_DRV rewind
mt -f $TAPE_DRV status

case $dir in
  root) 
       echo "positioning at archive 0"
       mt -f $TAPE_DRV fsf 0
       mt -f $TAPE_DRV status
       ;;
  var)
       echo "positioning at archive 1"
       mt -f $TAPE_DRV fsf 1
       mt -f $TAPE_DRV status
       ;;
  home)
       echo "positioning at archive 2"
       mt -f $TAPE_DRV fsf 2
       mt -f $TAPE_DRV status
       ;;
  data1)
       echo "positioning at archive 3"
       mt -f $TAPE_DRV fsf 3
       mt -f $TAPE_DRV status
       ;;
  *)
esac

echo "Restoring with \
decrypt -a aes -k ${KEY} -i ${TAPE_DRV} | ufsrestore $resopts -"

decrypt -a aes -k ${KEY} -i ${TAPE_DRV} | ufsrestore $resopts -