[TIP] Securing your Bytemark backups


#1

I’ve been using Bytemark DH’s & VM’s for many years and the Backup space which come with these products. One thing which has always worried me is how to best secure my Backups which i place on Bytemark’s Backup servers.

While the support Docs detail using Rsync over SSL it is marked with “N.B. This is currently an experimental service;”. The docs also state "but not sensitive enough that you don’t mind it being stored unencrypted " . I do mind and so had to find a solution to this. I’ve tried a number of different solutions, including custom written gpg tar’ing scripts all of which seem to have had some draw backs. :frowning: However I think i’ve now hit on the holly-grail solution for BM backups!

Duplicity - Encrypted bandwidth-efficient backup using the rsync algorithm

Duplicity allows you to perform incremental gpg backups over rsync. This is perfect for use with the Bytemark backup servers.

I’ve been trailing it for a month and so far im very impressed. Hope this helps someone else and i’d be interested to hear your experience of it.


#2

I have used duplicity for quite a while, although I actually NFS mount the backup space and use duplicity in “local file” mode (i.e. with a file: URL). It works well. My backup script does a “remove-all-but-n-full 2” followed by a “--full-if-older-than 7D”. I only backup important writeable directories (such as /etc, /home, /root, /var/www, etc), not the whole system.

I have very rarely needed to restore anything, but I have done so once or twice. The only problem is having to go back and read the man page because I can never remember the commands!

By the way, I also use duplicity on my other systems, mostly with an Amazon S3 target (although I am gradually replacing that with an s3ql-based backup).


#3

It is possible to use encrypted backup files with backup2l. This worked fine for one of my customers, and at least continues to (generally) fit in well with Symbiosis etc.

David.


#4

i’ve been toying with just luks-encrypting my archive-grade backup space. Not much use if you want offsite backups, of course.


#5

How do you implement the encrypted backups with backup2l?


#6

I’ve gone the luks route for my archive-grade backup space. Then just use backup2l as usual. Make sure it auto Opens and mounts on boot.


#7

Im guessing you guys talking about doing luks are on bigV?

Duplicity excels where your backup space is only accessible by nfs/rsync as is the case with the space provided to Dedicated host customers.

For backups where a psychical disk is available, such as BigV’s archive grade disks, ive been toying with btrfs snapshots on LUKS. Not sure if id recommend it for production unless you have another form of backups to fallback on… But with a few simple scripted commands its quite easy to get a “timemachine” type feel to your backups with data de-duplication, compression, point in time snapshots all done at the FS level rather than in tars etc. Makes restoring simple as navigating into the snapshots folder, into the date/time you want and copying out the file as you would with any normal fs. btrfs even supports a form of offsite copying off snapshots.

This article is a great and gives a nice outline of want we can all expect when the nextgen fs’s like btrfs become more widespread.

http://arstechnica.com/information-technology/2014/01/bitrot-and-atomic-cows-inside-next-gen-filesystems/


#8

It looks like Symbiosis stomps all over the default /etc/backup2l.conf file - and doesn’t keep the various DRIVER definitions.

Take a look in : /usr/share/doc/backup2l/first-time.conf.gz for a stock configuration which includes the GPG stuff.