On 11.01.2018 20:47, Thore Bödecker via arch-devops wrote:
Use duplicity/duply on the servers for our secondary backup-chain.
I used to have duplicity for my personal backups and compared to borg is felt awfully slow and we need at least twice the space of a full backup plus the incrementals which might be a problem in the future.
This would be a considerable benefit over borg for the secondary backup chain as the servers themselves are not able to decrypt their own backups, hence an attacker couldn't do that either.
I'm not sure why an attacker would be interested in the backup data when they have access to the source data. Unless they are really interested in history and not current data that seems moot. Future data would be easy to get if they just stay hidden until that data is current. Thinking about the rsnapshot/borg-bug situation some more, it might be nice if we have monthly/bi-weekly tarballs on glacier for 2-3 months so that we can roll back to an old borg version/operating system that worked. Also that would be a totally second chain, similar to what you aimed at with duplicity. The low frequency would also allow us to keep the additional load relatively low. Florian