Re: Backup encryption key
בThursday 23 April 2009, נכתב על ידי Yuval Hager: On Thursday 23 April 2009, Shachar Shemesh wrote: I should point out one huge disadvantage of storing binary diffs when using encrypted systems. There is no (practical) way to erase old backups. Your backup storage size is bound to be ever increasing. This is because the only way to create a new complete snapshot (i.e. - a non-incremental backup) is to retransmit the entire backup data. Because the remote side is encrypted, you cannot use it to expand the image remotely. I have not given as much thought as you to the details here, but if I read the man page correctly, duplicity does allow to --remove-older-than. I am not sure how that works though. I've continued to read on that - as long as you have at least one full backup, you can deleted earlier backups (which is quite obvious). The main reason I am using rdiff-backup is that I can delete backups older than a certain time, as much as I like, without ever running a full backup besides the initial backup. The only limitation is that the data is not compressed nor encrypted on the destination. -- yuval signature.asc Description: This is a digitally signed message part. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Yuval Hager wrote: בThursday 23 April 2009, נכתב על ידי Yuval Hager: On Thursday 23 April 2009, Shachar Shemesh wrote: I should point out one huge disadvantage of storing binary diffs when using encrypted systems. There is no (practical) way to erase old backups. Your backup storage size is bound to be ever increasing. This is because the only way to create a new complete snapshot (i.e. - a non-incremental backup) is to retransmit the entire backup data. Because the remote side is encrypted, you cannot use it to expand the image remotely. I have not given as much thought as you to the details here, but if I read the man page correctly, duplicity does allow to --remove-older-than. I am not sure how that works though. I've continued to read on that - as long as you have at least one full backup, you can deleted earlier backups (which is quite obvious). The main reason I am using rdiff-backup is that I can delete backups older than a certain time, as much as I like, without ever running a full backup besides the initial backup. The only limitation is that the data is not compressed nor encrypted on the destination. And with rsyncrypto+rsync, you can do all that AND have them encrypted and compressed. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
its a standard application, but I do understand your point. if you insist, you can install the App on a U3 disc format. this way it will run from the USB without the need to reinstall it. Then how would you connect to a Linux machine? as for the app: - http://www.download3k.com/Install-Family-Key-Logger.html (simple app) - http://fraggedone.netfirms.com/security.html - search for Keystroke loggers, many links - my own favorite few years back was Subseven. Its a very old tool, that allow you to create your own trojan and back-door entry. The application allow for many many options, very flexible and has many ready-templates. There are many download links available, google it and try your luck. I strongly advice you to read the manual and close your FW before you start play with it; other wise both your Anti-virus and firewall will have a hear-attack.. Thanks, I will take a look at those. I do no actually need a keylogger, but I want to know what I am up against when I use public computers. Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Easy, 1. connect the USB 2. Run the TrueCrypt (http://www.truecrypt.org/) This is the problematic step. If you came to my computer with your USB key and asked to install a program so that you could use your key, I would not let you. Nor could you use it at a public facility such as a library. 3. Mount the un-partitioned disk (on the USB) drive. I will be asked for the password in the mounting process. [10 seconds, so far] Unless the station has something that will copy the disk, while connected; the password by itself wouldn't help anybody (its a local disk, not a web application accessed by anybody with my password). That said, but since i always worry about key logger and such, I very much try to avoid using it from a PC/station I do not trust (I know how easy key-loggers are to deploy ;) Really? Should I be worried? For that matter, do you have the address of some keylogging software that I could play with in a virtual Windows machine? I have googled just now, but I cannot find anything that doesn't cost money. I will be responsible with it, I promise, but in any case you might want to send a link or info off-list just in case. Thanks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
On Saturday 25 April 2009, 13:11, Dotan Cohen wrote: Really? Should I be worried? For that matter, do you have the address of some keylogging software that I could play with in a virtual Windows machine? I have googled just now, but I cannot find anything that doesn't cost money. I will be responsible with it, I promise, but in any case you might want to send a link or info off-list just in case. Thanks. Try this: http://amecisco.com/iks2000.htm It's a limited demo version, but enough to give you an idea. Shahar ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Try this: http://amecisco.com/iks2000.htm It's a limited demo version, but enough to give you an idea. Thanks, Shahar. It seems that this is something that the computer admin must install, not a portable app or something similar. So, so long as I trust the admin (for instance, at the Technion's libraries) I should be safe so long as I reboot before using the computer and performing sensitive operations. In other words, some malicious student could not get my logins by exploiting the library computers that I do use. I would only be at risk using internet cafes and such, where I do not trust the admins. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Dotan Cohen wrote: Try this: http://amecisco.com/iks2000.htm It's a limited demo version, but enough to give you an idea. Thanks, Shahar. It seems that this is something that the computer admin must install, not a portable app or something similar. So, so long as I trust the admin (for instance, at the Technion's libraries) I should be safe so long as I reboot before using the computer and performing sensitive operations. In other words, some malicious student could not get my logins by exploiting the library computers that I do use. I would only be at risk using internet cafes and such, where I do not trust the admins. I can write a Windows key logger in about half an hour, and I don't think you would need admin in order to run it (making it run in other people's session is another matter). Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
I can write a Windows key logger in about half an hour, and I don't think you would need admin in order to run it (making it run in other people's session is another matter). I see. Coming from the Linux world, I just figured that if it was doable then someone had already made such a tool available. I suppose that Rule #36 is not valid in the Windows ecosystem, where users are expected to pay for everything. Thanks for the info. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
This one runs in kernel space and plants itself beneath the keyboard driver, so it can capture everything and is almost undetectable. And Windows will run that as a portable app, ie, no installation required? A malicious entity can just run that on any public computer and collect info? There are numerous hardware keyloggers that require only somewhere to hide behind the pc. Actually, I am aware of those. For some reason, I do not feel worried about that, but I will start checking for good measure! -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Before I begin, I should point out that I never brought my company's service up in this thread. Yes, rsyncrypto is my project, and it is a major part of the service Lingnu is offering, but it is open source, comes built in as part of Debian and Ubuntu, and you can use it without paying me or Lingnu a dime. Diego Iastrubni wrote: As someone who tried to convince his boss to use Shachar's product, I can tell you that there are companies (in israel!) who sell a competing product, which is closed source, but: * works with a nice Java Based web interface, * it has a CLI version (works on 64 bit as well) * it's incremental backup * their service sends you email when you finish the backup * the email tells you what amont of data (in MB) has been sent * if you miss a backup a few days, you get a call from them is everthing ok? - don't trust automated setups! * they store up to a week of information as history * the traffic is encrypted using blowfish * if your initial backup is huge they can send someone to your office which comes with a USB disk and copies it manually the first time. More than half the points you raise are related to the service, rather than the technology. Yes, you can get most of them from Lingnu as well, but the discussion here was centered around technology for doing remote backups (as I pointed out, I never even brought up the fact that my company offers such a service). In particular, the point one before last should be used as a huge warning sign as far as the technology is involved. Besides it being closed source, written in java and (*) it's a damn good service. I can recommend off list if you want. Still, if I had the choise, I would use Shachar's service, not only because of (*). I prefear my money to go to someone from the community. This is a huge point, though. The traffic transferring the data to the remote server is encrypted, but the data on the remote server is not. A rogue employee or a security breach may compromise your data. Of course, once the data is not encrypted, manipulating it is a piece of cake. You can perform quite sophisticated server side processing on it. Shachar P.s. Blowfish? In this day and age? -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
On Friday 24 April 2009 09:34:40 you wrote: P.s. Blowfish? In this day and age? Twofish, I stand corrected. Their specks are very confusing: * They claim that the transport is based on https * They claim that the encryption key is stored on my computer, but i see no documentation on the location. * I don't know how the encryption key is made, my guess is that the input is the password used, I might be wrong. * I know that that the tech support can see the encrypted password of each user (john to the rescue!), and can see the list of files. I am not sure about the content. I guess that they are not as transparent as Lingnu, and their technology is great, but the docs sux. I brought Lingu's service to the debate, since it offers much more then just a secured layer. I assume that readers of this thread are more interested about the service provided by some companies, and not just the technical details. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Fwd: Backup encryption key
1. I use external drive 2. Using TrueCrypt I mount the external drive, encrypt its content and password-protected it. 3. I backup all my data to this drive. 4. Data is encrypted, password protected and on un-recognized drive. Once the drive is connected to a PC, you need to re-mount it using TrueCrypt. To mount the drive you will be requested the password. if you try to open the disk without mounting it first, it is show as un-formatted drive. Nice add-on, i initially partitioned the disk and left the TrueCrypt.exe in it. I can come to any computer, connect the drive via its USB, run the application and get the data (password etc). being using it for a while, works good. nir -- Regards, Nir Grinberg I.T.C. IP Technologies Ltd. n...@israelnumber.com www.IsraelNumber.com 972.3.9707000 2009/4/23 Yuval Hager yu...@avramzon.net: Hi, I've been considering encrypting my backups (e.g. using duplicity), but I am always afraid to lose the backup key when I lose the data I need to restore. This has the unfortunate implications of practically having no backups at all. I'd like to ask the list, when you backup your data (and you do, don't you?) - do you use encryption? If so, what measures do you take to ensure the key is safer than the data itself? Cheers, -- yuval ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Nice add-on, i initially partitioned the disk and left the TrueCrypt.exe in it. I can come to any computer, connect the drive via its USB, run the application and get the data (password etc). That sounds like it depends upon the application being already installed on the computer. How do you connect the drive on computers that you do not own, or do not regularly use, such as public library computers or customers' sites? -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Easy, 1. connect the USB 2. Run the TrueCrypt (http://www.truecrypt.org/) 3. Mount the un-partitioned disk (on the USB) drive. I will be asked for the password in the mounting process. [10 seconds, so far] Unless the station has something that will copy the disk, while connected; the password by itself wouldn't help anybody (its a local disk, not a web application accessed by anybody with my password). That said, but since i always worry about key logger and such, I very much try to avoid using it from a PC/station I do not trust (I know how easy key-loggers are to deploy ;) BTW, I use this setup on a WD 320G Passport external disk, not as backup, but as my Data disk. The whole setup is fairly secured, while still being comfortable for daily usage. nir -- Regards, Nir Grinberg I.T.C. IP Technologies Ltd. n...@israelnumber.com www.IsraelNumber.com 972.3.9707000 On Fri, Apr 24, 2009 at 3:56 PM, Dotan Cohen dotanco...@gmail.com wrote: Nice add-on, i initially partitioned the disk and left the TrueCrypt.exe in it. I can come to any computer, connect the drive via its USB, run the application and get the data (password etc). That sounds like it depends upon the application being already installed on the computer. How do you connect the drive on computers that you do not own, or do not regularly use, such as public library computers or customers' sites? -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Backup encryption key
Hi, I've been considering encrypting my backups (e.g. using duplicity), but I am always afraid to lose the backup key when I lose the data I need to restore. This has the unfortunate implications of practically having no backups at all. I'd like to ask the list, when you backup your data (and you do, don't you?) - do you use encryption? If so, what measures do you take to ensure the key is safer than the data itself? Cheers, -- yuval signature.asc Description: This is a digitally signed message part. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Yuval Hager wrote: Hi, I've been considering encrypting my backups (e.g. using duplicity), but I am always afraid to lose the backup key when I lose the data I need to restore. This has the unfortunate implications of practically having no backups at all. I'd like to ask the list, when you backup your data (and you do, don't you?) - do you use encryption? If so, what measures do you take to ensure the key is safer than the data itself? Cheers, Personally, I put the encryption key on a CD (several copies) and on a brand new disk on key (again, several copies), and store them in a safe I rented at a bank. I also have some other copies (this time the key is itself encrypted) which I store at my lawyer's safe. Then again, my company makes a living from selling online backups. I will readily grant that that procedure is somewhat of an overkill. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
I've been considering encrypting my backups (e.g. using duplicity), but I am always afraid to lose the backup key when I lose the data I need to restore. This has the unfortunate implications of practically having no backups at all. I'd like to ask the list, when you backup your data (and you do, don't you?) - do you use encryption? If so, what measures do you take to ensure the key is safer than the data itself? My backups are merely encrypted tarballs of my $HOME directory, with a password. Like you, I fear not having access to whatever data that I need to open my backups, but do not want to leave them unencrypted. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
On Thursday 23 April 2009, Dotan Cohen wrote: I've been considering encrypting my backups (e.g. using duplicity), but I am always afraid to lose the backup key when I lose the data I need to restore. This has the unfortunate implications of practically having no backups at all. I'd like to ask the list, when you backup your data (and you do, don't you?) - do you use encryption? If so, what measures do you take to ensure the key is safer than the data itself? My backups are merely encrypted tarballs of my $HOME directory, with a password. Like you, I fear not having access to whatever data that I need to open my backups, but do not want to leave them unencrypted. How do you use the password in an automated backup then? -- yuval signature.asc Description: This is a digitally signed message part. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Yuval Hager wrote: On Thursday 23 April 2009, Dotan Cohen wrote: I've been considering encrypting my backups (e.g. using duplicity), but I am always afraid to lose the backup key when I lose the data I need to restore. This has the unfortunate implications of practically having no backups at all. I'd like to ask the list, when you backup your data (and you do, don't you?) - do you use encryption? If so, what measures do you take to ensure the key is safer than the data itself? My backups are merely encrypted tarballs of my $HOME directory, with a password. Like you, I fear not having access to whatever data that I need to open my backups, but do not want to leave them unencrypted. How do you use the password in an automated backup then? You encrypt using a public key. You only need the private key in order to decrypt. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
How do you use the password in an automated backup then? Actually, I do not automate it. This is the command that I use to make the tarball: $ tar -zcvf - /home/user/ | openssl des3 -salt -k PASSWORD | dd of=DATE.tbz And this one to decrypt it: $ dd if=DATE.tbz | openssl des3 -d -k PASSWORD | tar zvxf - -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
On Thursday 23 April 2009, Dotan Cohen wrote: How do you use the password in an automated backup then? Actually, I do not automate it. This is the command that I use to make the tarball: $ tar -zcvf - /home/user/ | openssl des3 -salt -k PASSWORD | dd of=DATE.tbz And this one to decrypt it: $ dd if=DATE.tbz | openssl des3 -d -k PASSWORD | tar zvxf - Well, I was looking for a more streamlined solution. Something that is: 1) automatic 2) offsite (e.g. online) 3) bandwidth and space efficient (due to (2) above) 4) (opt.) encrypted 5) incremental I currently use rdiff-backup, but it does not abide to (3) above. I started looking into duplicity (from the same author), and then thought about description, hence the original post. -- yuval signature.asc Description: This is a digitally signed message part. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Yuval Hager wrote: On Thursday 23 April 2009, Dotan Cohen wrote: How do you use the password in an automated backup then? Actually, I do not automate it. This is the command that I use to make the tarball: $ tar -zcvf - /home/user/ | openssl des3 -salt -k PASSWORD | dd of=DATE.tbz And this one to decrypt it: $ dd if=DATE.tbz | openssl des3 -d -k PASSWORD | tar zvxf - Well, I was looking for a more streamlined solution. Something that is: 1) automatic 2) offsite (e.g. online) 3) bandwidth and space efficient (due to (2) above) 4) (opt.) encrypted 5) incremental I currently use rdiff-backup, but it does not abide to (3) above. I started looking into duplicity (from the same author), and then thought about description, hence the original post. http://rsyncrypto.lingnu.com + rsync Provides 1-5. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
On Thursday 23 April 2009, Shachar Shemesh wrote: Yuval Hager wrote: On Thursday 23 April 2009, Dotan Cohen wrote: How do you use the password in an automated backup then? Actually, I do not automate it. This is the command that I use to make the tarball: $ tar -zcvf - /home/user/ | openssl des3 -salt -k PASSWORD | dd of=DATE.tbz And this one to decrypt it: $ dd if=DATE.tbz | openssl des3 -d -k PASSWORD | tar zvxf - Well, I was looking for a more streamlined solution. Something that is: 1) automatic 2) offsite (e.g. online) 3) bandwidth and space efficient (due to (2) above) 4) (opt.) encrypted 5) incremental I currently use rdiff-backup, but it does not abide to (3) above. I started looking into duplicity (from the same author), and then thought about description, hence the original post. http://rsyncrypto.lingnu.com + rsync Provides 1-5. Shachar Thanks. I probably wasn't clear on (5). I would like to be able to go back in time when I restore. AFAIK, rsync* solutions are mirroring the current state only, where rdiff-backup and duplicity does allow time travel. There is still the original question about the key handling, I just wanted to give a little more context.. --y signature.asc Description: This is a digitally signed message part. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Thanks. I probably wasn't clear on (5). I would like to be able to go back in time when I restore. I think that you will have to wait for Stephen Hawkins to recover before that will be possible. AFAIK, rsync* solutions are mirroring the current state only, where rdiff-backup and duplicity does allow time travel. Really? Is that based on libhgwells? -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Yuval Hager wrote: Thanks. I probably wasn't clear on (5). I would like to be able to go back in time when I restore. AFAIK, rsync* solutions are mirroring the current state only, where rdiff-backup and duplicity does allow time travel. There is still the original question about the key handling, I just wanted to give a little more context.. --y rsync allows you to create a new image for each iteration, where the new version contains hard links to the old one if nothing changed in the file. For all intents and purposes, this is incremental backup. I should point out one huge disadvantage of storing binary diffs when using encrypted systems. There is no (practical) way to erase old backups. Your backup storage size is bound to be ever increasing. This is because the only way to create a new complete snapshot (i.e. - a non-incremental backup) is to retransmit the entire backup data. Because the remote side is encrypted, you cannot use it to expand the image remotely. With rsync, you have some storage overhead (changed files are stored again in their entirety, rather than merely the changes), but that does not reflect in the bandwidth requirement. You gain the advantage that every snapshot is independent. You can erase old snapshots in arbitrary order, without risking your data. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Dotan Cohen dotanco...@gmail.com writes: How do you use the password in an automated backup then? Actually, I do not automate it. This is the command that I use to make the tarball: $ tar -zcvf - /home/user/ | openssl des3 -salt -k PASSWORD | dd of=DATE.tbz And this one to decrypt it: $ dd if=DATE.tbz | openssl des3 -d -k PASSWORD | tar zvxf - So you password appears in cleartext in the shell history, probably in some logs, is ps output, etc? -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Yuval Hager yu...@avramzon.net writes: Well, I was looking for a more streamlined solution. Something that is: 1) automatic 2) offsite (e.g. online) 3) bandwidth and space efficient (due to (2) above) 4) (opt.) encrypted 5) incremental A combination of tar (that can do incremental backups) and scp or similar will do 2, 3, and 5. 1 can be handled by cron. 4 probably has to be delegated to openssl like was suggested, encrypting with a public key, etc. It should be possible with a simple script. I used to have one that did everything but encryption, I don't know if I can dig it out (of backups)... ;-) -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Actually, I do not automate it. This is the command that I use to make the tarball: $ tar -zcvf - /home/user/ | openssl des3 -salt -k PASSWORD | dd of=DATE.tbz And this one to decrypt it: $ dd if=DATE.tbz | openssl des3 -d -k PASSWORD | tar zvxf - So you password appears in cleartext in the shell history, probably in some logs, is ps output, etc? Actually, I am aware of that problem. I had considered writing a shell script to automatically add the date and ask for the password, but decided that will be my opportunity to learn python instead. So until I have a spare day to get into Python I'm doing it this way. It is a single user system, which is not an excuse, but it mitigates risks. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
On Thursday 23 April 2009, Shachar Shemesh wrote: I should point out one huge disadvantage of storing binary diffs when using encrypted systems. There is no (practical) way to erase old backups. Your backup storage size is bound to be ever increasing. This is because the only way to create a new complete snapshot (i.e. - a non-incremental backup) is to retransmit the entire backup data. Because the remote side is encrypted, you cannot use it to expand the image remotely. I have not given as much thought as you to the details here, but if I read the man page correctly, duplicity does allow to --remove-older-than. I am not sure how that works though. --y signature.asc Description: This is a digitally signed message part. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
On Thursday 23 April 2009, Oleg Goldshmidt wrote: Yuval Hager yu...@avramzon.net writes: Well, I was looking for a more streamlined solution. Something that is: 1) automatic 2) offsite (e.g. online) 3) bandwidth and space efficient (due to (2) above) 4) (opt.) encrypted 5) incremental A combination of tar (that can do incremental backups) and scp or similar will do 2, 3, and 5. 1 can be handled by cron. 4 probably has to be delegated to openssl like was suggested, encrypting with a public key, etc. It should be possible with a simple script. I used to have one that did everything but encryption, I don't know if I can dig it out (of backups)... ;-) This is so common, that although possible, I don't believe writing your own is the most cost-effective way for a backup system. Of course, YMMV. --y signature.asc Description: This is a digitally signed message part. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
As someone who tried to convince his boss to use Shachar's product, I can tell you that there are companies (in israel!) who sell a competing product, which is closed source, but: * works with a nice Java Based web interface, * it has a CLI version (works on 64 bit as well) * it's incremental backup * their service sends you email when you finish the backup * the email tells you what amont of data (in MB) has been sent * if you miss a backup a few days, you get a call from them is everthing ok? - don't trust automated setups! * they store up to a week of information as history * the traffic is encrypted using blowfish * if your initial backup is huge they can send someone to your office which comes with a USB disk and copies it manually the first time. Besides it being closed source, written in java and (*) it's a damn good service. I can recommend off list if you want. Still, if I had the choise, I would use Shachar's service, not only because of (*). I prefear my money to go to someone from the community. Shame it's not my money, right Shachar? ;-) (*) has far as I can tell, the encryption key is the password used for the service. I also know that a support guy can see the encrypted password of each customer. I hope I am drunk+stupid+lazy+mistaking, since if I am right, this is completelly fucked up. On Thursday 23 April 2009 16:00:27 Shachar Shemesh wrote: Yuval Hager wrote: Well, I was looking for a more streamlined solution. Something that is: 1) automatic 2) offsite (e.g. online) 3) bandwidth and space efficient (due to (2) above) 4) (opt.) encrypted 5) incremental http://rsyncrypto.lingnu.com + rsync Provides 1-5. Shachar ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
2009/4/23 Dotan Cohen dotanco...@gmail.com: Actually, I am aware of that problem. I had considered writing a shell script to automatically add the date and ask for the password, but decided that will be my opportunity to learn python instead. So until I have a spare day to get into Python I'm doing it this way. It is a single user system, which is not an excuse, but it mitigates risks. Asking for password in one shell line: read -r -s -p SubVersion password for user \$USERNAME\: DEPLOY_PWD No biggy :) --Amos ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: Backup encryption key
Asking for password in one shell line: read -r -s -p SubVersion password for user \$USERNAME\: DEPLOY_PWD No biggy :) I know that it is not difficult, but it remains my motivation for treating myself to learn Python. One of these days. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il