Encrypted partition backups.

Robin Laing Robin.Laing at drdc-rddc.gc.ca
Wed Jan 14 17:31:53 UTC 2009 

Bruno Wolff III wrote:
> On Tue, Jan 13, 2009 at 09:40:47 -0700,
>   Robin Laing <Robin.Laing at drdc-rddc.gc.ca> wrote:
>> I am about to install a system where each users home directory will be  
>> encrypted and mounted on login and unmounted on logout.
>>
>> Is there a tool that allows partition backups of only the changes as  
>> with incremental backups?  Do we just have to clone the partition and  
>> make copies of that each time?
> 
> Not that I am aware of. In theory if changes to their directories makes only
> localized changes to the encrypted data, then you could just save the
> changed blocks. This will leak some information, but that information would
> be available to people who could see multiple backup tapes in any case,
> so it may not be a big deal.
> 

This was why I am wondering about a block device backup that can compare 
the blocks and only back those up.  It would be a pain to backup 1T of 
data every time.

>> It is a question that I have posed to our IT staff and they have not  
>> thought about it either.
> 
> It's a bit late in the game to do this, as how you do the encryption should
> be coordinated with your backup strategy.
> 
> There are also some issues with backing up key material. If you are say
> using luks to encrypt the home directories, having backups of the encrypted
> keys has some additional risks and deleting old pass phrases doesn't work
> on the backed up copies. Depending on your threat model and how some
> compromises are handled this might be acceptible. But it is still something
> to take into consideration.
> 
> 

Encryption to the level of encrypted home directories isn't being used 
yet.  I asked them if they had any ideas and we agree that for 
incremental backups, a block diff would have to be done.  Of course, 
depending on the size of the partition, this could take some time.  I 
don't know.

That is why I am posting this to the list to get some ideas to plan the 
backup routine around the changes.

It is going to be fun.  :)

-- 
Robin Laing
Instrumentation Technologist   Voice: 1.403.544.4762
Military Engineering Section   FAX:   1.403.544.4704
Defence R&D Canada - Suffield  Email: Robin.Laing at DRDC-RDDC.gc.ca
PO Box 4000, Station Main      WWW:http://www.suffield.drdc-rddc.gc.ca
Medicine Hat, AB, T1A 8K6
Canada

More information about the users mailing list