Actually this coincides with an idea I had for using BackupPC for use as a
backup service. It would have to operate differently to the standard
configuration, though. The system I envisioned was as follows:
- rather than the BackupPC Server polling clients, the clients would be
responsible for initiating the connection to the BackupPC server.
- The BackupPC server would need to run Rsyncd in order to listen for
connections and expose the backup store location to the client, based on
the authentication and other defined criteria (alloted space, compression,
encryption, authorization)
- the clients would run rsync (or some other process) which will send
the data across to the BackupPC server, over SSH (for example), which would
utilize encryption for the SSH path.
- Optionally, the data can (possibly) be encrypted BY THE CLIENT, and
sent across as raw bits to be stored on the Rsync store. This would mean
that, as was suggested by John's boss, the server does not have access to
the unencrypted data, as the client could choose their own password which
the server/service provider would not have. This would mean, though that
data recovery from failed disks would be a royal pain
Issues:
- Client access to the data - the web interface would become much more
complex, as it would now need to be accessed over a WAN or Internet in
order to check or manipulate clients backups and restores.
- Client would now need to keep "backup state" information
- WAN link becomes issue - Internet connection speeds will determine
backup duration.
- Backing up of clients may be limited to the use of Rsync and SSH.
Other Considerations:
- Client can optionally have a "staging server" which offers a web
interface for local "consumption, interacts directly with the backup server
(as a sort of gateway), keeps backup state and status, and stores commonly
accessed info (backup details, file lists, etc), and would be responsible
for requesting files for restore from the backup server. This could aid
with system security, as the Backup Service will have less interfaces to
expose to the public.
- Secure encrypted communications can then happen between staging server
and BackupPC server(s), with on-disk encryption, if needed, being done by
the staging server before shipping files over.
This means that BackupPC would need to be changed from a "pull" backup
system (by the server), to "push" backups (by the clients). It would also
change the way the web interface operated (if clients now access from the
server), or the structure and relationship between systems if the option of
a gateway or staging server is utilized.
While I am not a programmer, and would not be able to even begin to provide
any assistance in this, I think such an option would not just put BackupPC
over the top (as it is already there), but would place it in a completely
new class of software (BaaS - Backups as a Service), and open up a whole
new realm of options for OSS fans.
Any criticisms (or dissecting, correcting, whatever) of the above is
welcomed. Does anyone think this may be feasible?
Gerry George
DigiSolv, Inc.
On Thu, May 17, 2012 at 3:46 PM, John Hutchinson <[email protected]> wrote:
> ok That answers my question. The issue is that we are looking at backing
> up clients machines and my boss wanted to be able to tell them that even we
> can not see their files. I did not think it was possible but thought it
> was worth asking.
>
> John
>
>
> On 5/16/2012 7:05 PM, Arnold Krille wrote:
>
> On 16.05.2012 22:52, John Hutchinson wrote:
>
> Is there any way to setup backuppc so that the pc and the pool directory
> are encrypted so they can only be accessed by the web interface with a
> valid user?
>
> If you mean encryption: No, not really. You can encrypt the disk where
> backuppc stores the data. But anything you do will be un-encrypted as
> long as backuppc (and the webinterface via apache) is running.
>
> If you mean authentication/authorization, yes thats one of the things
> apache can do. And thats really what "access the web-interface with a
> valid user" means. Note the the definition of a "valid user" is only
> limited by what apache supports for this (which is quite a lot and
> includes kerberos and ldap and such things). See the
> apache-documentation for that.
>
> Have fun,
>
> Arnold
>
> PS: Is there a reason you didn't start your own thread? - Note that just
> hitting "reply" and editing the subject does _not_ create a new thread,
> your mail still contains headers in-reply-to: and references: and thus
> is still belonging to a different thread...
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> BackupPC-users mailing [email protected]
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> BackupPC-users mailing list
> [email protected]
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
BackupPC-users mailing list
[email protected]
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
