Encrypted partition backups.
Bruno Wolff III
bruno at wolff.to
Tue Jan 13 16:59:18 UTC 2009
On Tue, Jan 13, 2009 at 09:40:47 -0700,
Robin Laing <Robin.Laing at drdc-rddc.gc.ca> wrote:
> I am about to install a system where each users home directory will be
> encrypted and mounted on login and unmounted on logout.
> Is there a tool that allows partition backups of only the changes as
> with incremental backups? Do we just have to clone the partition and
> make copies of that each time?
Not that I am aware of. In theory if changes to their directories makes only
localized changes to the encrypted data, then you could just save the
changed blocks. This will leak some information, but that information would
be available to people who could see multiple backup tapes in any case,
so it may not be a big deal.
> It is a question that I have posed to our IT staff and they have not
> thought about it either.
It's a bit late in the game to do this, as how you do the encryption should
be coordinated with your backup strategy.
There are also some issues with backing up key material. If you are say
using luks to encrypt the home directories, having backups of the encrypted
keys has some additional risks and deleting old pass phrases doesn't work
on the backed up copies. Depending on your threat model and how some
compromises are handled this might be acceptible. But it is still something
to take into consideration.
More information about the users