Filesystem enryption

Antonio Huete Jiménez tuxillo at quantumachine.net
Fri Jan 30 07:59:58 PST 2015


Hi Konrad,

The only way that comes to mind in order to achieve that would be  
using 'hammer mirror-read' piped to some encryption utility like  
openssl or gnupg in order to have on the fly encrypted filesystem  
PFSes and then transfer the files to the backup location.

Something like this:
(Note that this assumes you have a working gpg setup)

BACKUP:

# hammer mirror-read /var | gzip -c | gpg --symmetric --cipher-algo  
AES192 --output pfs.var.gz.enc
Prescan to break up bulk transfer
Enter passphrase

Passphrase:
Prescan 1 chunks, total 241 MBytes (253446328)
Please re-enter this passphrase
Passphrase:
Enter passphrase

Passphrase:
Please re-enter this passphrase
Passphrase:
Mirror-read /var succeeded

# chmod 400 pfs.var.gz.enc
# ls -tlhr pfs.var.gz.enc
-r--------  1 root  wheel   193M Jan 30 16:46 pfs.var.gz.enc

RESTORE:

# gpg --decrypt pfs.var.gz.enc | gunzip -c | hammer -y mirror-write /pfs/myvar
gpg: AES192 encrypted data
gpg: encrypted with 1 passphrase
PFS slave /pfs/myvar does not exist. Auto create new slave PFS!
Creating PFS #9 succeeded!
/pfs/myvar
     sync-beg-tid=0x0000000000000001
     sync-end-tid=0x0000000000000001
     shared-uuid=4eaaa528-512e-11e4-9849-535400b3fa11
     unique-uuid=7729ee0e-a898-11e4-af39-535400b3fa11
     slave
     label=""
     prune-min=00:00:00
     operating as a SLAVE
     snapshots directory defaults to /var/hammer/<pfs>
Source can update synctid to 0x0000000111c45d60

There is a way also to do incremental backups but it would be more  
complicated. You can have a look at this to grasp the idea:

http://gitweb.dragonflybsd.org/dragonfly.git/tree/HEAD:/tools/tools/hammer-backup

Cheers,
Antonio Huete



Quoting Konrad Neuwirth <konrad at fimsch.net>:

> Hello everyone,
>
> I've read about cryptsetup and device mapper, but this is is not  
> quite what I have in mind :-).
>
> I am curious whether there is a way to have a HAMMER filesystem  
> encrypted so that I can mirror it to another location, where only  
> the encrypted data is stored. But here, locally, of course, I would  
> be interested in using the filesystem normally. The benefit would be  
> that I can copy back from the encrypted storage and have my  
> filesystem back, yet do not need to trust the backup location.
>
> Is there any way to achieve that?
>
> Thank you,
>  Konrad





More information about the Users mailing list