From owner-freebsd-stable@FreeBSD.ORG Tue Jan 15 12:44:06 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FAEA16A419 for ; Tue, 15 Jan 2008 12:44:06 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4DBB313C46E for ; Tue, 15 Jan 2008 12:44:06 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 1EC911CC070; Tue, 15 Jan 2008 04:44:06 -0800 (PST) Date: Tue, 15 Jan 2008 04:44:06 -0800 From: Jeremy Chadwick To: Vladimir Botka Message-ID: <20080115124406.GA8803@eos.sc1.parodius.com> References: <20080115124002.06d14cfc@srv> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20080115124002.06d14cfc@srv> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-stable@freebsd.org Subject: Re: Backup solution suggestions X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 12:44:06 -0000 On Tue, Jan 15, 2008 at 12:40:02PM +0100, Vladimir Botka wrote: > Dne Tue, 15 Jan 2008 10:52:56 +0100 > Johan Ström napsal(a): > > > Hello > > > > I'm looking to invest in some new hardware for backup. probably some > > kind of NAS (a 4-disk 1U NAS or something in that size). The thing > > is that I won't be the only one with access to this box, thus I > > would like to secure my data. > > What I would like is encryption both for the transfer to the box, > > and encrypted on disk. The data on disk should not be readable by > > anyone but me (ie the other user(s) of the box should not be able to > > read it, at least not without a big effort). > > > > So, I'm wondering what the best solution might be.. Tar'balling all > > my stuff and encrypt it with GPG or something and just dump it there > > with NFS would be the easiest solution, but maybe not the best. I've > > been thinking about running a GELI image on my box, and store that > > on the NAS over NFS.. would that be doable/secure/stable? > > Another idea would be to go with some regular 1U box running some > > FBSD, doing scp to the box and geli local on the box but that would > > require me to have the encryption keys on that box (which would be > > shared so thus no good idea). > > > > Any other ideas? Being able to rsync to the backup storage instead > > of just sending big encrypted tarballs would be very nice (and I > > guess that would be possible with geli version) > > > > Maybe not the perfect list for this, but it is somewhat freebsd > > specific and I'm sure some other ppl on the list have had simliar > > situations :) > > > > -- > > Johan Ström > > Stromnet > > johan@stromnet.se > > http://www.stromnet.se/ > > > > Hello, > > As of the encryption on the transfer I use security/sfs to mount remote > directory for backup and then rsync in the local. I thought SFS looked pretty neat until I saw this in the documentation: Finally, you must export all the local-directorys in your sfsrwsd_config to localhost via NFS version 3. See my mail to Johan, as it documents a known "issue" with nfsd/mountd/portmap on FreeBSD (re: binding to INADDR_ANY and using dynamically-allocated port numbers). This circles back to my "if you HAVE to use NFS, do so on a dedicated network which has no public access" statement. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |