Encrypted partition backups.
Robin Laing
Robin.Laing at drdc-rddc.gc.ca
Wed Jan 14 17:31:53 UTC 2009
Bruno Wolff III wrote:
> On Tue, Jan 13, 2009 at 09:40:47 -0700,
> Robin Laing <Robin.Laing at drdc-rddc.gc.ca> wrote:
>> I am about to install a system where each users home directory will be
>> encrypted and mounted on login and unmounted on logout.
>>
>> Is there a tool that allows partition backups of only the changes as
>> with incremental backups? Do we just have to clone the partition and
>> make copies of that each time?
>
> Not that I am aware of. In theory if changes to their directories makes only
> localized changes to the encrypted data, then you could just save the
> changed blocks. This will leak some information, but that information would
> be available to people who could see multiple backup tapes in any case,
> so it may not be a big deal.
>
This was why I am wondering about a block device backup that can compare
the blocks and only back those up. It would be a pain to backup 1T of
data every time.
>> It is a question that I have posed to our IT staff and they have not
>> thought about it either.
>
> It's a bit late in the game to do this, as how you do the encryption should
> be coordinated with your backup strategy.
>
> There are also some issues with backing up key material. If you are say
> using luks to encrypt the home directories, having backups of the encrypted
> keys has some additional risks and deleting old pass phrases doesn't work
> on the backed up copies. Depending on your threat model and how some
> compromises are handled this might be acceptible. But it is still something
> to take into consideration.
>
>
Encryption to the level of encrypted home directories isn't being used
yet. I asked them if they had any ideas and we agree that for
incremental backups, a block diff would have to be done. Of course,
depending on the size of the partition, this could take some time. I
don't know.
That is why I am posting this to the list to get some ideas to plan the
backup routine around the changes.
It is going to be fun. :)
--
Robin Laing
Instrumentation Technologist Voice: 1.403.544.4762
Military Engineering Section FAX: 1.403.544.4704
Defence R&D Canada - Suffield Email: Robin.Laing at DRDC-RDDC.gc.ca
PO Box 4000, Station Main WWW:http://www.suffield.drdc-rddc.gc.ca
Medicine Hat, AB, T1A 8K6
Canada
More information about the users
mailing list