Simple backup tape encryption
2005-06-24 04:14:52
I would like to propose an idea for the Amanda wishlist. Assuming there
aren't enough items on that list already...
What I would like to see is the option of simple encryption of backup
tapes. I'm not looking for over-the-wire encryption or client side
encryption, I just want my tapes to be useless to anyone who finds or
steals one, and I want legitimate restores to be hampered as little as
possible.
As motivation, consider the recently lost and presumably unencrypted
tapes mentioned in this article at the Register:
http://www.theregister.co.uk/2005/06/07/citigroup_lost_tape/
I'm aware of the interesting work done at the University of Chicago:
http://security.uchicago.edu/tools/gpg-amanda/
But Mike Delaney's message to the list of May 30, 2005 (Re: Amanda with
GPG) suggests that restoring/recovering becomes pretty hairy with this
setup. (That is a pretty poor paraphrase of Mike's explanation; please
look up his message in the archives for a more clear and accurate
presentation.) Also, it seems to me that a server-side encryption
scheme could be localized to a handful of parameters in the Amanda
configuration file, which would be much easier for Amanda admins to set up.
What I am imagining is putting a simple symmetric encryption key for
perhaps AES encryption in the Amanda config file, and then perhaps
enabling encryption in dumptype records. Assuming encryption is the
last thing that happens before a DLE goes to tape and the first thing
that happens on the way back, most of the Amanda chain would not need to
know about the presence of any encryption. And for disaster recovery,
you would presumably want to have a printout of your Amanda config
offsite, so your password would be recoverable.
As a start, is this idea conceptually sound? Maybe it could be
implemented already with wrapper scripts?
- Bruce
|
|
|