From owner-freebsd-stable@FreeBSD.ORG  Tue Jan 15 19:16:59 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 68D8616A47A;
	Tue, 15 Jan 2008 19:16:59 +0000 (UTC)
	(envelope-from johan@stromnet.se)
Received: from core.stromnet.se (core.stromnet.se [83.218.84.131])
	by mx1.freebsd.org (Postfix) with ESMTP id 1AE0813C469;
	Tue, 15 Jan 2008 19:16:59 +0000 (UTC)
	(envelope-from johan@stromnet.se)
Received: from localhost (unknown [83.218.84.135])
	by core.stromnet.se (Postfix) with ESMTP id D9EC9D46408;
	Tue, 15 Jan 2008 20:16:56 +0100 (CET)
X-Virus-Scanned: amavisd-new at stromnet.se
Received: from core.stromnet.se ([83.218.84.131])
	by localhost (core.stromnet.se [83.218.84.135]) (amavisd-new,
	port 10024)
	with ESMTP id IwlNnMnrznhF; Tue, 15 Jan 2008 20:16:54 +0100 (CET)
Received: from [172.28.1.102] (90-224-172-102-no129.tbcn.telia.com
	[90.224.172.102])
	by core.stromnet.se (Postfix) with ESMTP id 69ED4D46403;
	Tue, 15 Jan 2008 20:16:54 +0100 (CET)
In-Reply-To: <20080115124406.GA8803@eos.sc1.parodius.com>
References: <E6BCC509-6CC8-44F1-98C2-416920A52218@stromnet.se>
	<20080115124002.06d14cfc@srv>
	<20080115124406.GA8803@eos.sc1.parodius.com>
Mime-Version: 1.0 (Apple Message framework v753)
Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed
Message-Id: <F4F935DD-DB7F-4145-A688-DAEBFE46BE6B@stromnet.se>
Content-Transfer-Encoding: quoted-printable
From: =?ISO-8859-1?Q?Johan_Str=F6m?= <johan@stromnet.se>
Date: Tue, 15 Jan 2008 20:16:36 +0100
To: Jeremy Chadwick <koitsu@FreeBSD.org>
X-Mailer: Apple Mail (2.753)
Cc: freebsd-stable@freebsd.org, Vladimir Botka <vlado@botka.homeunix.org>
Subject: Re: Backup solution suggestions
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2008 19:16:59 -0000

On Jan 15, 2008, at 13:44 , Jeremy Chadwick wrote:

> On Tue, Jan 15, 2008 at 12:40:02PM +0100, Vladimir Botka wrote:
>> Dne Tue, 15 Jan 2008 10:52:56 +0100
>> Johan Str=F6m <johan@stromnet.se> napsal(a):
>>
>>> Hello
>>>
>>> I'm looking to invest in some new hardware for backup. probably some
>>> kind of NAS (a 4-disk 1U NAS or something in that size). The thing
>>> is that I won't be the only one with access to this box, thus I
>>> would like to secure my data.
>>> What I would like is encryption both for the transfer to the box,
>>> and encrypted on disk. The data on disk should not be readable by
>>> anyone but me (ie the other user(s) of the box should not be able to
>>> read it, at least not without a big effort).
>>>
>>> So, I'm wondering what the best solution might be.. Tar'balling all
>>> my stuff and encrypt it with GPG or something and just dump it there
>>> with NFS would be the easiest solution, but maybe not the best. I've
>>> been thinking about running a GELI image on my box, and store that
>>> on the NAS over NFS.. would that be doable/secure/stable?
>>> Another idea would be to go with some regular 1U box running some
>>> FBSD, doing scp to the box and geli local on the box but that would
>>> require me to have the encryption keys on that box (which would be
>>> shared so thus no good idea).
>>>
>>> Any other ideas? Being able to rsync to the backup storage instead
>>> of just sending big encrypted tarballs would be very nice (and I
>>> guess that would be possible with geli version)
>>>
>>> Maybe not the perfect list for this, but it is somewhat freebsd
>>> specific and I'm sure some other ppl on the list have had simliar
>>> situations :)
>>>
>>> --
>>> Johan Str=F6m
>>> Stromnet
>>> johan@stromnet.se
>>> http://www.stromnet.se/
>>>
>>
>> Hello,
>>
>> As of the encryption on the transfer I use security/sfs to mount =20
>> remote
>> directory for backup and then rsync in the local.
>
> I thought SFS looked pretty neat until I saw this in the =20
> documentation:
>
>   Finally, you must export all the local-directorys in your =20
> sfsrwsd_config
>   to localhost via NFS version 3.
>
> See my mail to Johan, as it documents a known "issue" with
> nfsd/mountd/portmap on FreeBSD (re: binding to INADDR_ANY and using
> dynamically-allocated port numbers).  This circles back to my "if you
> HAVE to use NFS, do so on a dedicated network which has no public
> access" statement.
>

SFS indeed looked very nice, but didnt provide me with the encrypted-=20
on-disk feature I need as I understand?.
As mentioned earlier I don't want to store crypto keys on the backup =20
machine itself, otherwise I could have used geli or something.

Thanks

--
Johan