[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encrypted remote backups & issues

To: Christian Jaeger <christian.jaeger@ethlife.ethz.ch>
Subject: Re: Encrypted remote backups & issues
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 19 Sep 2003 12:43:11 -0400
cc: linux-crypto@nl.linux.org
In-reply-to: Your message of "Fri, 19 Sep 2003 11:24:03 +0200." <p04320402bb90748775ab@[192.168.3.11]>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;linux-crypto-archive@nl.linux.org
Sender: linux-crypto-bounce@nl.linux.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Christian" == Christian Jaeger <christian.jaeger@ethlife.ethz.ch> writes:
    Christian> I'd like to do incremental encrypted remote backups. I thought
    Christian> this might be a solution: use nbd (network block device, from
    Christian> standard kernel) to access the backup partition or file on the
    Christian> server.

  And, you'd like them encrypted on the remote system, not just protected
between local and remove systems?

  If it was just protected, I'd use NFS over IPsec. I use that regularly,
although there are shutdown issues - you have to make sure to unmount the
NFS partitions between the IPsec is shutdown. Normally debian does that in
the opposite order, and you get stuck :-)

    Christian> 2. I realize that cryptoloop does not use checksums/signatures
    Christian> at all. Of course that means that an attacker can easily
    Christian> destroy my backup volume while in transit or while stored on
    Christian> the (broken in) backup server in subtle ways, so that I won't

  That's where the NFS underlying layer to a large file might be a better
choice than NBD.

    Christian> Are there alternatives? tar|gpg|netcat(+md5) is a solid
    Christian> solution but requires full backups each time. Anything else?

  Yes, you could use tar in incremental backup mode, or you could use "dump"!

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP2syHoqHRg3pndX9AQHMhQQAx48+m1t6DmkIliKKOB4KT2RbDkCUG8OG
M88Zrzg/+OUx6pU0fYI7TWRJuWJStEzwjSINry9UVz6lIAmdyXixYl6Bo8G/F+AJ
7w1TtUbonfBLhdRVlf4gaisSb1A9sCFVkeGCqOW+bRTL1NnBZJvd0g2Gc5lN5ys0
3nPPUMXx5N4=
=LGKG
-----END PGP SIGNATURE-----
-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Follow-Ups:
- Re: Encrypted remote backups & issues
  - From: Christian Jaeger <christian.jaeger@ethlife.ethz.ch>

References:
- Encrypted remote backups & issues
  - From: Christian Jaeger <christian.jaeger@ethlife.ethz.ch>

Prev by Date: Re: Encrypted remote backups & issues
Next by Date: Re: Encrypted remote backups & issues
Prev by thread: Re: Encrypted remote backups & issues
Next by thread: Re: Encrypted remote backups & issues
Index(es):
- Date
- Thread