Re: Encrypted remote backups & issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Christian" == Christian Jaeger <christian.jaeger@xxxxxxxxxxxxxxx> writes:
    Christian> I'd like to do incremental encrypted remote backups. I thought
    Christian> this might be a solution: use nbd (network block device, from
    Christian> standard kernel) to access the backup partition or file on the
    Christian> server.

  And, you'd like them encrypted on the remote system, not just protected
between local and remove systems?

  If it was just protected, I'd use NFS over IPsec. I use that regularly,
although there are shutdown issues - you have to make sure to unmount the
NFS partitions between the IPsec is shutdown. Normally debian does that in
the opposite order, and you get stuck :-)

    Christian> 2. I realize that cryptoloop does not use checksums/signatures
    Christian> at all. Of course that means that an attacker can easily
    Christian> destroy my backup volume while in transit or while stored on
    Christian> the (broken in) backup server in subtle ways, so that I won't

  That's where the NFS underlying layer to a large file might be a better
choice than NBD.

    Christian> Are there alternatives? tar|gpg|netcat(+md5) is a solid
    Christian> solution but requires full backups each time. Anything else?

  Yes, you could use tar in incremental backup mode, or you could use "dump"!

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP2syHoqHRg3pndX9AQHMhQQAx48+m1t6DmkIliKKOB4KT2RbDkCUG8OG
M88Zrzg/+OUx6pU0fYI7TWRJuWJStEzwjSINry9UVz6lIAmdyXixYl6Bo8G/F+AJ
7w1TtUbonfBLhdRVlf4gaisSb1A9sCFVkeGCqOW+bRTL1NnBZJvd0g2Gc5lN5ys0
3nPPUMXx5N4=
=LGKG
-----END PGP SIGNATURE-----
-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/
[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux