Re: Secure backup on remote untrusted server over slow line?

From: Natman (natmanz@home.com)
Date: 06/12/02

• Next message: Who Knows: "replacing ipchains with iptables"
• Previous message: alex duenisch: "sending snort intrusion alerts to a win client via samba"
• In reply to: Preben Bohn: "Secure backup on remote untrusted server over slow line?"
• Next in thread: frag: "Re: Secure backup on remote untrusted server over slow line?"
• Reply: frag: "Re: Secure backup on remote untrusted server over slow line?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Natman" <natmanz@home.com>
Date: Wed, 12 Jun 2002 18:42:02 GMT

"Preben Bohn" <preben_bohn@yahoo.com> wrote in message
news:3D075B5E.9C77DDBB@yahoo.com...
> Hi all, I hope the subject says it all... :-)
>
> If not, here's my problem, I really hope someone can help me:
>
> I want to backup my linux server (~10GB data) on a remote server over a
> slow line (~200 kbps). I only need a snapshot at say 1 days interval.
> The changes to the server data are relatively small so an incremental
> scheme is the way to go (and with 10GB over 200 kbps it is the only way
> :)).
>
> The problem is that the remote server is "public" available, so I need
> to encrypt the data somehow. Does anyone have any good ideas to how I
> can accomplish this?
>
>
> My own ideas:
> 1) Make a secure filesystem on my own server and rsync the filesystem
> file to the remote server. The problem with this approach is that
> according to http://rsync.samba.org/fom-serve/cache/60.html rsync
> requires at least 3*(the filesize)? free space on the remote server to
> do this, and I havn't got that much... Also it seems like a waste of
> processing power to encrypt the entire filesystem, when I only need to
> encrypt what I send to (and store on) the remote server... This leads me
> to option 2:
>
> 2) Make a program myself that reads /dev/hdXX in blocks, encrypt the
> block, compare a checksum of this block to the corresponding checksum on
> the remote server's block, and transfer the local block if they are
> different. I'll probably face some problems with the disk changing while
> reading, and such...?
>
> Any ideas would be highly appreciated...
>
> Best regards
>
> Preben

I just read through this and an idea came to mind, so here it goes.

To detect what has changed, you could create a 'database' of MD5sums or
something like that. I use Tripwire, a good IDS which does something
similar to inform me what files have changed (ie, possibly hacked by
someone). When it comes time to backup, just run some script that makes a
list of changes. Encrypt those files to a temporary place, send them to the
remote end (scp?), and don't forget to update the 'database'. If free space
is a problem locally, then just do (encrypt then send) each file one at a
time. It doesn't matter what happens to files while the script is working,
so there's no file locking problem. On the remote end, you would have a
filesystem that looks exactly like yours, except each file would be
encrypted seperatly.

I believe most of this could be done with a simple script (like bash?). The
'database' could be just a plain text file of names with MD5sums -- although
it would be fairly large. Tripwire manages to make a database that fits on
a floppy, most likely it uses some good compression. The encryption might
be the hardest part, as you need to find a utility that will do whatever you
would like. Oh, and while you're at it, why not compress (gzip) each file
to save space.

Maybe this sounds like a bit of a pain, but I think it does exactly what you
need.

Nathan

---

• Next message: Who Knows: "replacing ipchains with iptables"
• Previous message: alex duenisch: "sending snort intrusion alerts to a win client via samba"
• In reply to: Preben Bohn: "Secure backup on remote untrusted server over slow line?"
• Next in thread: frag: "Re: Secure backup on remote untrusted server over slow line?"
• Reply: frag: "Re: Secure backup on remote untrusted server over slow line?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages using sqlite3 to implement a virtual filesystem ... It uses TclVFS to implement the filesystem. ... Though the database file cannot be appended to the executable file (to ... allow single file distribuition) it doesn't make it a bad alternative. ... One of the options it brings is the possibility to encrypt the ... (comp.lang.tcl) Re: Secure backup on remote untrusted server over slow line? ... > The problem is that the remote server is "public" available, ... > to encrypt the data somehow. ... > 1) Make a secure filesystem on my own server and rsync the filesystem ... All kind of amusing stuff can happen if your backup races with a ... (comp.os.linux.security) Re: Secure backup on remote untrusted server over slow line? ... > The problem is that the remote server is "public" available, ... > to encrypt the data somehow. ... > 1) Make a secure filesystem on my own server and rsync the filesystem ... All kind of amusing stuff can happen if your backup races with a ... (comp.os.linux.security) Re: EFS question ... > private key etc and then reading the file from a different location. ... When you encrypt files on a file share, ... actually takes place on the remote server. ... (microsoft.public.windowsxp.security_admin) Secure backup on remote untrusted server over slow line? ... The problem is that the remote server is "public" available, ... to encrypt the data somehow. ... Make a secure filesystem on my own server and rsync the filesystem ... compare a checksum of this block to the corresponding checksum on ... (comp.os.linux.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)