Encrypted partition backups.

Robin Laing Robin.Laing at drdc-rddc.gc.ca
Thu Jan 15 19:42:25 UTC 2009 

Bill Davidsen wrote:
> Robin Laing wrote:
>> OK, now it is an option to create encrypted partitions with F10 during 
>> install.  With this, the issue of backups gets changed and I wonder 
>> how people are dealing with it.
>>
>> I am about to install a system where each users home directory will be 
>> encrypted and mounted on login and unmounted on logout.
>>
>> Now the question comes to how to make automatic backups of these 
>> encrypted partitions when they are not mounted.  This has to take into 
>> account that the backup needs to be as secure as the original users 
>> directories.
>>
>> Is there a tool that allows partition backups of only the changes as 
>> with incremental backups?  Do we just have to clone the partition and 
>> make copies of that each time?
>>
>> It is a question that I have posed to our IT staff and they have not 
>> thought about it either.
>>
> What you want is a copy-on-write system to record the changes. Too bad 
> you didn't go the whole way on security and run each users in a virtual 
> machine. Then you could make a COW image of the partition, let the user 
> run with that, then back up only the changed pages. When the backup gets 
> large, commit the changes and take a "full" (whole partition) backup, 
> and make a new working COW image for the user to use.
> 
> I do similar with development VMs, make some changes, run with it a 
> while to see that they were *good* changes, then commit. Each day I back 
> up only the differences between the reference image and the working image.
> 

As nothing is set in stone yet, this sounds like a good idea.  The 
question is about the security of the individual files using this 
system.  The knowledge to anyone that may be watching the network on if 
there is 1 or 100 files being updated.

Any by file backup may provide details that may not want to be revealed. 
  It is a tough question to look at.

One of the reasons to start looking at it before things are finalized.

User home directories will be encrypted and mounted on login.  That is 
already confirmed as presently home directories are mounted on login.

-- 
Robin Laing

More information about the users mailing list