[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Encrypted partition backups.

Bruno Wolff III wrote:
On Tue, Jan 13, 2009 at 09:40:47 -0700,
  Robin Laing <Robin Laing drdc-rddc gc ca> wrote:
I am about to install a system where each users home directory will be encrypted and mounted on login and unmounted on logout.

Is there a tool that allows partition backups of only the changes as with incremental backups? Do we just have to clone the partition and make copies of that each time?

Not that I am aware of. In theory if changes to their directories makes only
localized changes to the encrypted data, then you could just save the
changed blocks. This will leak some information, but that information would
be available to people who could see multiple backup tapes in any case,
so it may not be a big deal.

This was why I am wondering about a block device backup that can compare the blocks and only back those up. It would be a pain to backup 1T of data every time.

It is a question that I have posed to our IT staff and they have not thought about it either.

It's a bit late in the game to do this, as how you do the encryption should
be coordinated with your backup strategy.

There are also some issues with backing up key material. If you are say
using luks to encrypt the home directories, having backups of the encrypted
keys has some additional risks and deleting old pass phrases doesn't work
on the backed up copies. Depending on your threat model and how some
compromises are handled this might be acceptible. But it is still something
to take into consideration.

Encryption to the level of encrypted home directories isn't being used yet. I asked them if they had any ideas and we agree that for incremental backups, a block diff would have to be done. Of course, depending on the size of the partition, this could take some time. I don't know.

That is why I am posting this to the list to get some ideas to plan the backup routine around the changes.

It is going to be fun.  :)

Robin Laing
Instrumentation Technologist   Voice: 1.403.544.4762
Military Engineering Section   FAX:   1.403.544.4704
Defence R&D Canada - Suffield  Email: Robin Laing DRDC-RDDC gc ca
PO Box 4000, Station Main      WWW:http://www.suffield.drdc-rddc.gc.ca
Medicine Hat, AB, T1A 8K6

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]