I'd like to do incremental encrypted remote backups. I thought this might be a solution: use nbd (network block device, from standard kernel) to access the backup partition or file on the server.
nbd-client $host $port /dev/nbd/0 losetup -e blowfish /dev/loop0 /dev/nbd/0
# optional: ext3 journal device: backupjournal=/root/backup.journal dd bs=4096 count=8192 < /dev/zero > $backupjournal losetup $backupjournal /dev/loop1 mke2fs -O journal_dev /dev/loop1
mke2fs -j -J device=/dev/loop1 /dev/loop0
mount /dev/loop0 /mnt/loop0
mkdir /mnt/loop0/{data,trash}rsync -aHxv --delete --exclude=$backupjournal \ --backup-dir=/mnt/loop0/trash/ / /mnt/loop0/data/
These are the problems and issues I'm asking here:
1. My client os (linux 2.4.22 + ben1 (Ben Herrenschmidt's powerpc patch) + freeswan) freezes completely every now and then. At first, I thought it was because I used an NBD partition of 8GB (e.g. large file), it froze right in the middle of the mke3fs. I then upgraded nbd-server+-client to the current Debian unstable versions and retried with 1.5GB, which worked well, until I copied a few 100MB of data onto the filesystem, then froze again.
Is cryptoloop not yet stable? Is NBD to blame? Is it the combination of both? Is it the journaling to blame? Is it that I'm tunneling the nbd data stream through an ssh tunnel (see below)?
2. I realize that cryptoloop does not use checksums/signatures at all. Of course that means that an attacker can easily destroy my backup volume while in transit or while stored on the (broken in) backup server in subtle ways, so that I won't notice it except that some random files are broken etc., and maybe he can even make the client os crash (because of bad filesystem structures) or other bad stuff. I'd like to have a way to prevent this. Currently I'm tunneling the traffic through ssh (how ironic) and simply hoping that the image on the server is never modified by third parties.
Are there alternatives? tar|gpg|netcat(+md5) is a solid solution but requires full backups each time. Anything else?
Thanks for any answers Christian. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
