[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Encrypted remote backups & issues

To: linux-crypto@nl.linux.org
Subject: Encrypted remote backups & issues
From: Christian Jaeger <christian.jaeger@ethlife.ethz.ch>
Date: Fri, 19 Sep 2003 11:24:03 +0200
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;linux-crypto-archive@nl.linux.org
Sender: linux-crypto-bounce@nl.linux.org

Hello

I'd like to do incremental encrypted remote backups. I thought this 
might be a solution: use nbd (network block device, from standard 
kernel) to access the backup partition or file on the server.

  nbd-client $host $port /dev/nbd/0
  losetup -e blowfish /dev/loop0 /dev/nbd/0

  # optional: ext3 journal device:
  backupjournal=/root/backup.journal
  dd bs=4096 count=8192 < /dev/zero > $backupjournal
  losetup $backupjournal /dev/loop1
  mke2fs -O journal_dev /dev/loop1

  mke2fs -j -J device=/dev/loop1 /dev/loop0

  mount /dev/loop0 /mnt/loop0
  mkdir /mnt/loop0/{data,trash}

  rsync -aHxv --delete --exclude=$backupjournal \
   --backup-dir=/mnt/loop0/trash/ / /mnt/loop0/data/


These are the problems and issues I'm asking here:

1. My client os (linux 2.4.22 + ben1 (Ben Herrenschmidt's powerpc 
patch) + freeswan) freezes completely every now and then. At first, I 
thought it was because I used an NBD partition of 8GB (e.g. large 
file), it froze right in the middle of the mke3fs. I then upgraded 
nbd-server+-client to the current Debian unstable versions and 
retried with 1.5GB, which worked well, until I copied a few 100MB of 
data onto the filesystem, then froze again.
   Is cryptoloop not yet stable? Is NBD to blame? Is it the 
combination of both? Is it the journaling to blame? Is it that I'm 
tunneling the nbd data stream through an ssh tunnel (see below)?

2. I realize that cryptoloop does not use checksums/signatures at 
all. Of course that means that an attacker can easily destroy my 
backup volume while in transit or while stored on the (broken in) 
backup server in subtle ways, so that I won't notice it except that 
some random files are broken etc., and maybe he can even make the 
client os crash (because of bad filesystem structures) or other bad 
stuff. I'd like to have a way to prevent this. Currently I'm 
tunneling the traffic through ssh (how ironic) and simply hoping that 
the image on the server is never modified by third parties.


Are there alternatives? tar|gpg|netcat(+md5) is a solid solution but 
requires full backups each time. Anything else?

Thanks for any answers
Christian.
-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- Re: Encrypted remote backups & issues
  - From: Alexander Zangerl <az@snafu.priv.at>
- Re: Encrypted remote backups & issues
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: (no subject)
Next by Date: Re: Encrypted remote backups & issues
Prev by thread: (no subject)
Next by thread: Re: Encrypted remote backups & issues
Index(es):
- Date
- Thread