On Mon, Feb 15, 2010 at 04:32:41PM -0500, tribat wrote: > > Would be cool to get the BackupPC TopDir on an encrypted container so I could > backup machines that are running an encrypted OS. > > I found out that dm_crypt can be used between a loop mounted FS container to > encrypt all the data in that container, there's just one problem, the size of > the container isn't dynamic. So as the backup space requirements change you > would need to manually shrink and grow the container and the filesystem in > it. I don't want that.
Well that is a problem with the container, not the encrypted loop device, since that one will grow/shrink along with its container. I don't see how this is different from a non-encrypted setup, since the same problem arises there: you will need to grow the partition/lvm volume/... and the filesystem in it. Just to make sure it is reasonable to do this, here is our setup: - two disks in raid1, used as lvm physical volume - logical volume for backuppc inside it - cryptsetup/LUKS encryption of volume - xfs filesystem (many hardlinks supported, very good for backuppc) in encrypted volume The logical volume (in encrypted form, without the encryption keys) is synchronised from time to time to an offsite machine. ... and we have already increased the size of the logical volume as space ran out once, and the XFS filesystem in it. > The only dynamic crypto container solution I found was EncFS, it seems to be > the perfect tool for the job. I tried and tried and tried on my Debian Lenny > but I just couldn't get the TopDir to work on an EncFS mount residing on an > ext3 partition. EncFS should be able to do the job i think, though i haven't tried it. Just make sure you don't enable "External IV Chaining", since that doesn't work with the hardlinks that backuppc needs. Overall, i believe more in disk-level encryption than file-level encryption... it is faster (in-kernel instead of in userspace, and no per-file overhead), and more secure (doesn't leak any information about the filesystem structure in it), and i would only use it in cases where disk-level encryption isn't flexible enough (only a subdirectory needs to be encrypted, or you need some of the paranoid options of encfs). Kind regards, -- Pieter ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
