[gentoo-user] Off-site data backup

[gentoo-user] Off-site data backup

[Stroller]

Hi there,

I have a couple of customers for whom I've configured Samba running  
on Linux as their file-servers. We want to do off-site back-up & I  
like the idea of http://www.rsync.net/ which I read as recommended by  
a user here or on Slashdot some considerable time ago.

However I'm not clear on the best way to secure our data when storing  
it on their servers - it's great to be able to use an open-source /  
open-standards protocol such as SSH when transferring data, but this  
does not protect it in the event that the off-site servers are  
compromised. I am sure this isn't likely to happen but still it's  
something we must consider.

It seems to me that we can stuff all our data in a tarball & encrypt  
it using PGP or similar (probably a symmetric algorithm (??) rather  
than PGP, but you get the idea) but that would seem to prevent  
incremental back-ups - using conventional back-up tools the single  
encrypted tarball will be seen to have changed each night and so will  
require completely uploading. Since our data could easily comprise  
several gigs this is clearly unwieldy, and encrypting thousands of  
single files and storing them remotely would seem to me to be clumsy  
also.

Does anyone have any thoughts on this, please?

I have read of zsync which allows only the changes in a large single  
file to be propagated but I'm not really sure if it's suitable for  
these purposes.

Thanks in advance for any suggestions,

Stroller.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Off-site data backup

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1751 bytes --]

On Wed, 27 Jun 2007 14:51:25 +0100, Stroller wrote:

> I have a couple of customers for whom I've configured Samba running  
> on Linux as their file-servers. We want to do off-site back-up & I  
> like the idea of http://www.rsync.net/ which I read as recommended by  
> a user here or on Slashdot some considerable time ago.
> 
> However I'm not clear on the best way to secure our data when storing  
> it on their servers - it's great to be able to use an open-source /  
> open-standards protocol such as SSH when transferring data, but this  
> does not protect it in the event that the off-site servers are  
> compromised. I am sure this isn't likely to happen but still it's  
> something we must consider.
> 
> It seems to me that we can stuff all our data in a tarball & encrypt  
> it using PGP or similar (probably a symmetric algorithm (??) rather  
> than PGP, but you get the idea) but that would seem to prevent  
> incremental back-ups - using conventional back-up tools the single  
> encrypted tarball will be seen to have changed each night and so will  
> require completely uploading. Since our data could easily comprise  
> several gigs this is clearly unwieldy, and encrypting thousands of  
> single files and storing them remotely would seem to me to be clumsy  
> also.

I've recently switched from Strongspace to rsync.net and now use
Duplicity to do the backups. This uses GPG to encrypt the backups and
handles incremental backups. Duplicity is is portage with a good man
page, there is also documentation on using it with rsync.net on their
support pages as it is their recommended solution for encrypted backups.


-- 
Neil Bothwick

BASIC: Bill's Attempt to Seize Industry Control

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Off-site data backup

[Richard Cox]

On Wed, Jun 27, 2007 at 02:51:25PM +0100, Stroller wrote:
> Hi there,
> [clip]
> Does anyone have any thoughts on this, please?
> 
> I have read of zsync which allows only the changes in a large single  
> file to be propagated but I'm not really sure if it's suitable for  
> these purposes.
> 
> Thanks in advance for any suggestions,
> 
> Stroller.

Off the top of my head I can think of two different ways you can store the files that would keep them safe.

CryptFS
One put all of the backups on an encrypted partition.  Only mount that partition when you're ready to do a backup (that mighty require someone to login on their own and start it however).

RBAC
This may time more time to get a machine setup, but grsec is really good at ACLs.  Setup a dedicated user and with GRSEC allow only that one user to access whatever directory you place your backups in.  This is another layer of security, so even if they get the root account, they still don't have access to that directory.  They will have to use the gradm password to elevate themselfs to get at it (use a complex password for gradm :) ).  Basically everything here will help out (includes a quick pointer on RBAC) http://www.gentoo.org/proj/en/hardened/grsecurity.xml

Hope that helps
-Rick
> -- 
> gentoo-user@gentoo.org mailing list
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Off-site data backup

[Alexander Skwar]

Stroller <stroller@stellar.eclipse.co.uk> wrote:

> Does anyone have any thoughts on this, please?

I'm using (or shortly will, if you check the mailinglists) DAR
to do backups. DAR also supports on-the-fly encryption using
blowfish.

I also had a look at duplicity, but I did not really like it.
Can't expand on that more, though.

Alexander Skwar

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Off-site data backup

[Stroller]

On 27 Jun 2007, at 15:21, Neil Bothwick wrote:
> On Wed, 27 Jun 2007 14:51:25 +0100, Stroller wrote:
>
>> I have a couple of customers for whom I've configured Samba running
>> on Linux as their file-servers. We want to do off-site back-up & I
>> like the idea of http://www.rsync.net/ which I read as recommended by
>> a user here or on Slashdot some considerable time ago.
> ...
> I've recently switched from Strongspace to rsync.net and now use
> Duplicity to do the backups. This uses GPG to encrypt the backups and
> handles incremental backups. Duplicity is is portage with a good man
> page, there is also documentation on using it with rsync.net on their
> support pages as it is their recommended solution for encrypted  
> backups.

Thanks Neil, Richard & Alexander for your replies. I actually emailed  
Rsync.net at the same time I posted to the list and this is what they  
came back with, too. I hadn't found this page <http://rsync.net/ 
products/encrypted.html> on their website until they pointed it out.

I can't say I've yet examined Duplicity closely enough to say I'm  
101% happy with it, but enough that I've signed the customer up for  
an account & will have a go at setting it up over the weekend.

Thanks,

Stroller.


-- 
gentoo-user@gentoo.org mailing list