On Fri, Oct 30, 2009 at 01:05:54PM -0700, Ross Boylan wrote: > Does anyone have any advice about how to snapshot an encrypted volume so > that the snapshot won't leak information? > > This is for a backup; I'm aware that the backup system involves > additional security challenges. I want to do a file-based, rather than > disk-image, backup. Hmm. Use "tar -f" to do an archive file and encrypt that image on-the-fly with pgp/GnuPG. This way you can write the backup directly to unencrypted space. The command could look as follows: tar cf - <path_to_data> | gpg -e -r <key owner> -o backup.tar.gpg - Compression by tar is a bit redundant, as PGP/GnuPG also compress, but YMMV. The "f -" part to tar causes it to write to STDOUT and the trailing "-" causes gpg to read from STDIN. In that case gpg needs the output file name via "-o". The above requires you to have a key for <key owner> set up and the security of the backup then depends on the security of that key. Note that you do not need the passphrase for encryption, only later for decyption. If you wan to use a passhprase for the backup instead (no public-key crypto involved), use the -c option to gpg. You can supply the passphrase in several ways, see the --passphrase-<something> options. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
