From owner-freebsd-stable@FreeBSD.ORG Fri Mar 1 20:09:50 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id F41FB846 for ; Fri, 1 Mar 2013 20:09:49 +0000 (UTC) (envelope-from dweimer@dweimer.net) Received: from webmail.dweimer.net (24-240-198-187.static.stls.mo.charter.com [24.240.198.187]) by mx1.freebsd.org (Postfix) with ESMTP id A47D51508 for ; Fri, 1 Mar 2013 20:09:49 +0000 (UTC) Received: from www.dweimer.net (webmail.dweimer.local [192.168.5.1]) by webmail.dweimer.net (8.14.5/8.14.5) with ESMTP id r21K9lPK006538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 1 Mar 2013 14:09:47 -0600 (CST) (envelope-from dweimer@dweimer.net) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 01 Mar 2013 14:09:47 -0600 From: dweimer To: freebsd-stable@freebsd.org Subject: Re: Musings on ZFS Backup strategies Organization: dweimer.net Mail-Reply-To: dweimer@dweimer.net In-Reply-To: <20130301192528.GA79829@neutralgood.org> References: <5130BA35.5060809@denninger.net> <5130CD1C.90709@denninger.net> <20130301192528.GA79829@neutralgood.org> Message-ID: <960a34e583e40def0a60df2b889380bb@dweimer.net> X-Sender: dweimer@dweimer.net User-Agent: Roundcube Webmail/0.8.1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: dweimer@dweimer.net List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Mar 2013 20:09:50 -0000 On 03/01/2013 1:25 pm, kpneal@pobox.com wrote: > On Fri, Mar 01, 2013 at 09:45:32AM -0600, Karl Denninger wrote: >> I rotate the disaster disks out to a safe-deposit box at the bank, >> and >> they're geli-encrypted, so if stolen they're worthless to the thief >> (other than their cash value as a drive) and if the building goes >> "poof" >> I have the ones in the vault to recover from. There's the potential >> for >> loss up to the rotation time of course but that is the same risk I >> had >> with all UFS filesystems. > What do you do about geli keys? Encrypted backups aren't much use if > you can't unencrypt them. In my case I set them up with a pass-phrase only, I can mount them on any FreeBSD system using geli attach ... then enter pass-phrase when prompted. It is less secure than the key method (just because the pass-phrase is far shorter than a key would be), but it ensures as long as I can remember the pass-phrase I can access the data. However my backups in this method are personal data, worse case scenario is someone steals my identity, personal photos, and iTunes library. My bank accounts don't have enough money in them to make it worth, someone going through the time and effort to get the data off the disks. The pass-phrase I picked uses all the good practices of mixed case, special characters, and its not something easy to guess even by people who know me well. It would be far easier to break into my house and get the data that way, than break the encryption, on the external backup media. If I was say backing up a corporate data with this method and my company did defense research, well I would probably use both a pass-phrase and key combination and store an offsite copy of the key in a separate secure location from the media. -- Thanks, Dean E. Weimer http://www.dweimer.net/