From the Canyon Edge: An eCryptfs Backup Strategy

Monday, June 28, 2010

An eCryptfs Backup Strategy

Disclaimer: I am often asked about best practices regarding eCryptfs backups. I am not necessarily advocating this as the best approach; rather it this is simply my approach. Do with it what you will ;-)

I generally perform two types of backups...

Backups to Trusted, typically Local Storage (~hourly)
Backups to Untrusted, typically Remote Storage (~daily)

For me, trusted local storage generally means hardware that I own the physical control of, and that I am the only person with immediate root access. This might be a system in my home or office, or even static media locked in a safe deposit box at the bank -- understanding of course that I must trust the physical controls in place. If I don't trust the physical controls, then it's not trusted local storage. My laptop, since I often travel with it, is not trusted local storage, since there's a fair possibility that it might be stolen.

And for me, untrusted remote storage generally means a reasonably secure system, but one that I do not have physical control over and on which I may not be the (only) root user. This includes co-lo's and various forms of web and cloud storage (such as Amazon S3).

I will keep backup copies of my cleartext data on trusted local storage. For me, this means an hourly cronjob that does something like this on the LAN:

rsync -aP /home/$USER/ \

trusted.local.storage:/var/backups/home/$USER/

For untrusted remote storage, I never send my cleartext data, but rather my encrypted private data for backup. And since it's usually over a WAN, I use a daily cronjob that does something like:

rsync -azP $HOME/.Private/ \

untrusted.remote.storage:/var/backups/home/$USER/.Private/

And in both cases, I will periodically (once a month?) run rsync with --delete and --dry-run by hand, check the diff, and then re-run with --delete if I'm satisfied with the results. Do this with care ;-)

This may or may not be ideal for you, and some of you probably have even better ideas! Please feel free to leave a comment if you'd like to share your best practices for backing up your eCryptfs data.

:-Dustin

About the Author

@DustinKirkland is the VP of Product Development at Canonical, leading the amazing team that delivers Ubuntu, from the Cloud to IoT commercial offerings.

Dustin is an active maintainer and contributor to many open source projects, including Byobu and eCryptFS. At IBM, Dustin produced 75+ patents, including QWERsive (the technology behind "Swype" keyboards), and created the Orange Box (10-node portable cloud hardware).

Formerly the CTO of Gazzang, a venture funded start-up acquired by Cloudera, Dustin designed and implemented a key management system for cloud applications, called zTrustee, and delivered comprehensive security for cloud and big data platforms with eCryptfs and other encryption technologies.
A Fightin' Texas Aggie Class of 2001 graduate, Dustin lives in Austin, Texas, with his wife Kimberly, daughters, and his Australian Shepherds, Aggie and Tiger. Dustin is also an avid home brewer and wine maker.

Monday, June 28, 2010

An eCryptfs Backup Strategy

Printfriendly

About the Author

Support Byobu!

Blog Archive

Github Activity

Google Plus

Twitter

StackExchange

Solar Output

Labels