[arch-devops] Secondary backup ideas

[Thore Bödecker]

After giving it a little more thought, I just came up with the
following proposal:

As before, rent a second storage server ("B").

Use a different Filesystem than vostok for the backup-storage
mountpoint.

Use duplicity/duply on the servers for our secondary backup-chain.

Duply/Duplicity allow for assymmetric crypto using gpg and they
support separate keys for signing and encrypting.

Each server could have its own keypair so that it can sign its own
backups.
For encryption we could use the Arch Linux Master keys?!
(The individual servers only need the public key parts, obviously).

Although duplicity/duply are not as "fancy" as borg, we could follow
some kind of "weekly full backup" with "incremental daily backups".

Of course we would need to deny the servers deletion/prune permissions
on "B" but this time we could use some sort of find -mtime +90 algorithm
on "B" for cleanup.

This would be a considerable benefit over borg for the secondary
backup chain as the servers themselves are not able to decrypt their
own backups, hence an attacker couldn't do that either.

As this would be part of a "disaster recovery" backup chain, it should
not be an issue that the backups can only be decrypted by our Master
keys (or a new set of privileged keys that only a very few selected
members will given access to) because for our day-to-day restore needs
we could continue to use borg.
(And the awesome borg-restore.pl script from Florian)


I think this a more complete concept and could suite us well.

Feedback welcome! (For my previous "failed" attempts too!)



Cheers,
Thore

-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20180111/0ad16d9d/attachment.asc>