Hello dear new qubes family,
I am having trouble designing a backup concept for my qubes workstation.
My goal is to have a (daily) copy of the entire workstation on a trusted
remote backup target (versioning, encryption, rotation is done
remotely). Only a small part of the local data ("vault") would need to
be encrypted before sending it on its way.
My plan was to use a dedicated backup-vm, locked down to only connect to
the remote target.
- My first idea was to "mount --bind" the data to the backup-vm in
read-only mode. It would then do a simple rsync to the remote backup
target. This seems not to be possible, as I can't mount a directory from
outside, dom0, into the filesystem of the backup-vm. Mounting a
btrfs-snapshot would be a nice alternative, which doesn't seem to be
possible neither.
- I could use a dedicated drive, partition, or .img file to hold a copy
of all data locally and connect this back and forth between dom0 and the
backup-vm. This seems wasteful and opens security risks.
- I could serve all data via nfs to the backup-vm. This would, of
course, open security risks in enabling some kind of networking in dom0.
- I could send the backup-stream ("btrfs send", for example) to the
backup-vm and it forwards it to the remote backup target. This would
need all backup logic, programs and scripts to run in dom0. Also, I
suppose this would be an unstable solution, where (network) problems
immediately lead to a failed and broken backup (where rsync fails more
gracefully).
How do other people backup their qubes machine to a remote target?
Thank you,
N2
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/5831792C.3060308%40posteo.de.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
