Re: [PLUG] Physically Secure Backup Disk

[Rich Freeman via plug <plug@lists.phillylinux.org>]

On Thu, May 18, 2023 at 3:16 AM Steve Litt via plug
<plug@lists.phillylinux.org> wrote:
>
> However, your cloud backup should be reliably encrypted, while still
> being able to upload only changed files. The only way I know to meet
> that challenge is to have a LUKS partition on the remote side, then
> every day open the LUKS partition, rsync new files to that opened
> partition, do a cp -al to make the incremental create a full backup,
> then close the LUKS partition.
>

Most backup software is designed to do exactly this.  I use duplicity
to backup my data onto Amazon S3 Glacier Deep Archive.  It doesn't
require running any software onto the remote end.

It stores metadata and data in separate files and everything is
encrypted with GPG.  The metadata is locally cached so that a typical
incremental backup requires no reads from the cloud service other than
a directory listing to ensure the local cache is in sync.  However, if
the local cache is bad for whatever reason it will just retrieve the
metadata.  I keep the S3 metadata in the standard storage class just
in case this is needed, since there isn't much of it anyway.  The
filenames are designed so that you can use rules on the S3 side to
define the appropriate storage classes.  The local cache is not
encrypted, so you don't need to store the decryption key on the host
being backed up (though obviously you'll need to provide it if you
need to restore the local cache from the cloud).

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug