Consider using borgbackup. Borgbackup is bandwidth-efficient (only sends deltas), versioned (later backups don't overwrite earlier ones), compressed, deduplicated, and encrypted.
Here is an outline of a Qubes 4.0 setup: BACKUP: In dom0, borg reads the source VM's private block device and computes the delta (of the raw data) against all previous backups. The delta is then compressed, encrypted, and then streamed to a net-connected VM, which in turn ssh's the data to your backup server. RESTORE: In dom0, borg again uses the net-connected VM to mount a FUSE fs (in dom0) containing the block device you backed up. You then pass that block device to the source (or other) VM (via loop mount + qvm-block). Inside the VM, you mount the device read-only, and can now restore single files or rsync all files (restores differences!). For example, a 20GB backup may result in a 200MB daily delta that takes 5 minutes to backup remotly. SECURITY: * At no point does decrypted data leave dom0. The encryption key stays in dom0. Neither the remote server, nor the net-connected proxying VM, are trusted. * You never mount the backup in dom0, only in the source or other VM * Since the backup is orchestrated by dom0, the source VM cannot delete its own backups. IMPLEMENTATION NOTE: The key to using borg from dom0 is to use BORG_RSH= to tunnel out, something like BORG_RSH='qvm-run -p <borg_proxy_vm> ssh' (This doesn't quite work since dom0's qvm-run doesn't pass extra args to the command it runs, but you can workaround it using a script). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/nNSrpKGfG752_ECA-vfTKyqzD5mjAmdnDKKWmgcwUyglVMjfvmy1ufA3Hz4tG7m6-xrcrm7PZAgMmvrdI94wr6Atwyt0ppuTLiaKBbTs0bs%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
