BackupPC-users

Re: [BackupPC-users] pre-backup encryption? user wants files to be inaccessible even to me :-)

2010-03-23 20:02:24
Subject: Re: [BackupPC-users] pre-backup encryption? user wants files to be inaccessible even to me :-)
From: Luis Paulo <luis.barbas AT gmail DOT com>
To: "General list for user discussion, questions and support" <backuppc-users AT lists.sourceforge DOT net>
Date: Wed, 24 Mar 2010 00:00:23 +0000
You'll have to find a solution that leaves something final on the client, like a key, a secret.
The client will eventually change and forget it.
If you tie that to your backup solution, you'll end up as... the guy that can't even provide a backup solution.

If encryption it is, either the encryption is client responsability, or I keep the responsability and the key. I'll try not to tie a solution I control (or at least may audit) with one I can't.

A bit simplified, isn't it? :)

2010/3/23 Frank J. Gómez <frank AT crop-circle DOT net>
I have an interesting situation here.  One of my users refuses to participate in the system of backups because she's concerned about the security of her files.  She agreed to participate if I can make the system work such that even I am unable to see the contents of her files.  She's running Windows -- XP Home, I believe.

A little Googling and some brainstorming leads me to consider three courses of action.
  1. Use a pre-dump command to encrypt the files before BackupPC reads her files.  I've not used pre-dump commands before, so I'm not entirely sure how they work, but I imagine I could tell BackupPC to read only c:\foo, but, prior to doing that, run a script which takes the files in c:\my\sensitive\junk and creates an encrypted archive in c:\foo.  I assume the pre-dump script would live in the cygwin environment, which is probably better for me anyway, since I don't know anything about Windows scripting.  If this were a Linux system, I'd tar the files up and then pass the tar to gnupg, but I don't know if this is possible in a cygwin environment.  Then, post-dump, I'd shred (or rm, if shred is unavailable) the temporary file in c:\foo.
  2. Some post I read somewhere suggested you could simply change your compression method or transfer method to a script that does the encryption before writing to disk.  Nice thing about this idea is I can do all the configuration on the server.  Does sound a little scary though!
  3. Use scheduled tasks (or whatever the Windows equivalent of cron is) to periodically create/delete encrypted archives, independent of BackupPC scheduling.
How would you do it?  What encryption software would you use?

Cheers,
-Frank

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
<Prev in Thread] Current Thread [Next in Thread>