BackupPC-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BackupPC-users] Encrypting BackupPC TopDir

2010-02-16 04:41:14
Subject: Re: [BackupPC-users] Encrypting BackupPC TopDir
From: Pieter Wuille <sipa AT users.sourceforge DOT net>
To: backuppc-users AT lists.sourceforge DOT net
Date: Tue, 16 Feb 2010 10:38:28 +0100 
On Mon, Feb 15, 2010 at 04:32:41PM -0500, tribat wrote:
> 
> Would be cool to get the BackupPC TopDir on an encrypted container so I could 
> backup machines that are running an encrypted OS. 
> 
> I found out that dm_crypt can be used between a loop mounted FS container to 
> encrypt all the data in that container, there's just one problem, the size of 
> the container isn't dynamic. So as the backup space requirements change you 
> would need to manually shrink and grow the container and the filesystem in 
> it. I don't want that.

Well that is a problem with the container, not the encrypted loop device, since 
that one will grow/shrink along with its container.
I don't see how this is different from a non-encrypted setup, since the same 
problem arises there: you will need to grow the partition/lvm volume/... and 
the filesystem in it.

Just to make sure it is reasonable to do this, here is our setup:
- two disks in raid1, used as lvm physical volume
- logical volume for backuppc inside it
- cryptsetup/LUKS encryption of volume
- xfs filesystem (many hardlinks supported, very good for backuppc) in 
encrypted volume

The logical volume (in encrypted form, without the encryption keys) is 
synchronised from time to time to an offsite machine.

... and we have already increased the size of the logical volume as space ran 
out once, and the XFS filesystem in it.

> The only dynamic crypto container solution I found was EncFS, it seems to be 
> the perfect tool for the job. I tried and tried and tried on my Debian Lenny 
> but I just couldn't get the TopDir to work on an EncFS mount residing on an 
> ext3 partition. 

EncFS should be able to do the job i think, though i haven't tried it. Just 
make sure you don't enable "External IV Chaining", since that doesn't work with 
the hardlinks that backuppc needs.

Overall, i believe more in disk-level encryption than file-level encryption... 
it is faster (in-kernel instead of in userspace, and no per-file overhead), and 
more secure (doesn't leak any information about the filesystem structure in 
it), and i would only use it in cases where disk-level encryption isn't 
flexible enough (only a subdirectory needs to be encrypted, or you need some of 
the paranoid options of encfs).

Kind regards,

-- 
Pieter

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [BackupPC-users] Tar exited..., Michael Kuss
Next by Date:  [BackupPC-users] Encrypting BackupPC TopDir, tribat
Previous by Thread:  [BackupPC-users] Encrypting BackupPC TopDir, tribat
Next by Thread:  [BackupPC-users] Encrypting BackupPC TopDir, tribat
Indexes:  [Date] [Thread] [Top] [All Lists]