Filesystem enryption
Matthew Dillon
dillon at backplane.com
Fri Jan 30 13:01:27 PST 2015
hammer mirror-copy and mirror-stream run ssh under the hood and does all
the hard work for you. See the hammer(8) manual page.
-Matt
On Fri, Jan 30, 2015 at 7:59 AM, Antonio Huete Jiménez <
tuxillo at quantumachine.net> wrote:
> Hi Konrad,
>
> The only way that comes to mind in order to achieve that would be using
> 'hammer mirror-read' piped to some encryption utility like openssl or gnupg
> in order to have on the fly encrypted filesystem PFSes and then transfer
> the files to the backup location.
>
> Something like this:
> (Note that this assumes you have a working gpg setup)
>
> BACKUP:
>
> # hammer mirror-read /var | gzip -c | gpg --symmetric --cipher-algo AES192
> --output pfs.var.gz.enc
> Prescan to break up bulk transfer
> Enter passphrase
>
> Passphrase:
> Prescan 1 chunks, total 241 MBytes (253446328)
> Please re-enter this passphrase
> Passphrase:
> Enter passphrase
>
> Passphrase:
> Please re-enter this passphrase
> Passphrase:
> Mirror-read /var succeeded
>
> # chmod 400 pfs.var.gz.enc
> # ls -tlhr pfs.var.gz.enc
> -r-------- 1 root wheel 193M Jan 30 16:46 pfs.var.gz.enc
>
> RESTORE:
>
> # gpg --decrypt pfs.var.gz.enc | gunzip -c | hammer -y mirror-write
> /pfs/myvar
> gpg: AES192 encrypted data
> gpg: encrypted with 1 passphrase
> PFS slave /pfs/myvar does not exist. Auto create new slave PFS!
> Creating PFS #9 succeeded!
> /pfs/myvar
> sync-beg-tid=0x0000000000000001
> sync-end-tid=0x0000000000000001
> shared-uuid=4eaaa528-512e-11e4-9849-535400b3fa11
> unique-uuid=7729ee0e-a898-11e4-af39-535400b3fa11
> slave
> label=""
> prune-min=00:00:00
> operating as a SLAVE
> snapshots directory defaults to /var/hammer/<pfs>
> Source can update synctid to 0x0000000111c45d60
>
> There is a way also to do incremental backups but it would be more
> complicated. You can have a look at this to grasp the idea:
>
> http://gitweb.dragonflybsd.org/dragonfly.git/tree/HEAD:/
> tools/tools/hammer-backup
>
> Cheers,
> Antonio Huete
>
>
>
>
> Quoting Konrad Neuwirth <konrad at fimsch.net>:
>
> Hello everyone,
>>
>> I've read about cryptsetup and device mapper, but this is is not quite
>> what I have in mind :-).
>>
>> I am curious whether there is a way to have a HAMMER filesystem encrypted
>> so that I can mirror it to another location, where only the encrypted data
>> is stored. But here, locally, of course, I would be interested in using the
>> filesystem normally. The benefit would be that I can copy back from the
>> encrypted storage and have my filesystem back, yet do not need to trust the
>> backup location.
>>
>> Is there any way to achieve that?
>>
>> Thank you,
>> Konrad
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20150130/0529dfb9/attachment-0003.htm>
More information about the Users
mailing list