Filesystem enryption
Antonio Huete Jiménez
tuxillo at quantumachine.net
Fri Jan 30 07:59:58 PST 2015
Hi Konrad,
The only way that comes to mind in order to achieve that would be
using 'hammer mirror-read' piped to some encryption utility like
openssl or gnupg in order to have on the fly encrypted filesystem
PFSes and then transfer the files to the backup location.
Something like this:
(Note that this assumes you have a working gpg setup)
BACKUP:
# hammer mirror-read /var | gzip -c | gpg --symmetric --cipher-algo
AES192 --output pfs.var.gz.enc
Prescan to break up bulk transfer
Enter passphrase
Passphrase:
Prescan 1 chunks, total 241 MBytes (253446328)
Please re-enter this passphrase
Passphrase:
Enter passphrase
Passphrase:
Please re-enter this passphrase
Passphrase:
Mirror-read /var succeeded
# chmod 400 pfs.var.gz.enc
# ls -tlhr pfs.var.gz.enc
-r-------- 1 root wheel 193M Jan 30 16:46 pfs.var.gz.enc
RESTORE:
# gpg --decrypt pfs.var.gz.enc | gunzip -c | hammer -y mirror-write /pfs/myvar
gpg: AES192 encrypted data
gpg: encrypted with 1 passphrase
PFS slave /pfs/myvar does not exist. Auto create new slave PFS!
Creating PFS #9 succeeded!
/pfs/myvar
sync-beg-tid=0x0000000000000001
sync-end-tid=0x0000000000000001
shared-uuid=4eaaa528-512e-11e4-9849-535400b3fa11
unique-uuid=7729ee0e-a898-11e4-af39-535400b3fa11
slave
label=""
prune-min=00:00:00
operating as a SLAVE
snapshots directory defaults to /var/hammer/<pfs>
Source can update synctid to 0x0000000111c45d60
There is a way also to do incremental backups but it would be more
complicated. You can have a look at this to grasp the idea:
http://gitweb.dragonflybsd.org/dragonfly.git/tree/HEAD:/tools/tools/hammer-backup
Cheers,
Antonio Huete
Quoting Konrad Neuwirth <konrad at fimsch.net>:
> Hello everyone,
>
> I've read about cryptsetup and device mapper, but this is is not
> quite what I have in mind :-).
>
> I am curious whether there is a way to have a HAMMER filesystem
> encrypted so that I can mirror it to another location, where only
> the encrypted data is stored. But here, locally, of course, I would
> be interested in using the filesystem normally. The benefit would be
> that I can copy back from the encrypted storage and have my
> filesystem back, yet do not need to trust the backup location.
>
> Is there any way to achieve that?
>
> Thank you,
> Konrad
More information about the Users
mailing list