Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Nov 2001 11:23:20 -0800 (PST)
From:      Roger Marquis <marquis@roble.com>
To:        <security@FreeBSD.ORG>
Subject:   Re: crypted remote backup
Message-ID:  <20011128103543.Y99493-100000@roble.com>
next in thread | raw e-mail | index | archive | help 

> If you want rsync to only copy the updated/modified stuff you'll have
> to do the encryption on the "source" server and keep it in a separate
> "tree"

We gave up on rsync years ago.  Too many bugs, too little QA, and
too many changes between versions.  IMHO, dump/restore/ufsdump/ufsrestore
are still the best tools for backing up Unix systems.  Dump/restore,
when combined with scratch files or partitions and ssh, is a solid
and reliable solution with good degree of forward and backward
compatibility.

The first step in a production backup hierarchy are near-line
archives, typically to one or more local hard drives.  This step
does not normally require encryption:

	##### on the (source) server:
	mount /dev/da0a /var/d2
		(or mount /dev/da0{b,d,e,f,g} ...)
	cd /var/d2
	dump 0uf - / | restore xf -
	umount /var/d2

The second step is migration to a centralized backup server.  This
usually involves a network which may or may not be secure.  An
IPsec+3DES VPN based on hardware like Cisco's PIX or Checkpoint's
Firewall-1 is one way to encrypt this traffic.  For considerably
less money you can achieve the same result using OpenSSH:

	##### on the (destination) central backup host:
	touch /var/backups/${server}-`date|nawk '{print $2"-"$3"-"$NF}'`
	chmod 400 /var/backups/${server}-`date|nawk '{print $2"-"$3"-"$NF}'`
	/usr/local/bin/ssh root@${server} -n 'dump -0f - /dev/da0a' | \
		dd of=/var/backups/${server}-`date|nawk '{print $2"-"$3"-"$NF}'`

Finally, long term storage is most economically done to tape:

	dump 0f /dev/rmt/0 /var/backups

These tapes can then, ideally, be stored in fire-proof data safes
at one or more off-site locations.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128103543.Y99493-100000>