think tank forum

philosophy and religion » The Backup Dilemma

bluet's avatar
10 years ago
link
bluet
I'd like to backup all my files on all the computers I have access to. I'd like to tunnel the transfers over SSH. I'd like to have automatic backups.

1: I let the clients connect regularly to my backup server. This would require that all the clients have passphraseless SSH private keys that let them log in to the server. If someone gets one of those keys, they can log in to the backup server and delete all my backups.

2: I let the backup server connect regularly to the clients. This would require only the backup server to have a passphraseless SSH private key. But the clients would have to authorize logins with that key. If someone gets my private key from the backup server, they can log in to all my other machines.

3: I don't do backups. I don't have passphraseless SSH keys. Not even having access to my private keys would allow someone to log in to any of my computers.

:(
nny's avatar
10 years ago
link
nny
M̮͈̣̙̰̝̃̿̎̍ͬa͉̭̥͓ț̘ͯ̈́t̬̻͖̰̞͎ͤ̇ ̈̚J̹͎̿̾ȏ̞̫͈y̭̺ͭc̦̹̟̦̭̫͊̿ͩeͥ̌̾̓ͨ
look at rdiff-backup

the clients connect to the sshd of the host using a key... but the key is only allowed to do one thing... activate and rdiff-backup-server instance. Then it does an encrypted rsync of the data.

Good stuff. Open Source. Python I believe.
Carpetsmoker's avatar
10 years ago
link
Carpetsmoker
Martin
I'll second rdiff-backup, used it to backup my server and it worked fairly painless.
Carpetsmoker's avatar
10 years ago
r2, link
Carpetsmoker
Martin
Why is this considered "philosophy and religion" btw?
Maybe the next layer on top of http://farm1.static.flickr.com/36/96987427_d3a0582fdc_o.jpg ?
Chiken's avatar
10 years ago
link
Chiken
Don't Let Your Walls Down
pretty sweet shirt, where can i pick one of those up
bluet's avatar
10 years ago
link
bluet
> the clients connect to the sshd of the host using a key... but the key is only allowed to do one thing... activate and rdiff-backup-server instance. Then it does an encrypted rsync of the data.

Sounds good, but can I do this even when I haven't got root on the backup server?
nny's avatar
10 years ago
link
nny
M̮͈̣̙̰̝̃̿̎̍ͬa͉̭̥͓ț̘ͯ̈́t̬̻͖̰̞͎ͤ̇ ̈̚J̹͎̿̾ȏ̞̫͈y̭̺ͭc̦̹̟̦̭̫͊̿ͩeͥ̌̾̓ͨ
I don't see why not.
Carpetsmoker's avatar
10 years ago
r1, link
Carpetsmoker
Martin
> pretty sweet shirt, where can i pick one of those up

There from ISC, I think you can buy them for their website, not sure ... I got it for free at a talk about bind 10 ;-)
bluet's avatar
10 years ago
link
bluet
> I don't see why not.

Don't I have to create a new account for making backups?
nny's avatar
10 years ago
link
nny
M̮͈̣̙̰̝̃̿̎̍ͬa͉̭̥͓ț̘ͯ̈́t̬̻͖̰̞͎ͤ̇ ̈̚J̹͎̿̾ȏ̞̫͈y̭̺ͭc̦̹̟̦̭̫͊̿ͩeͥ̌̾̓ͨ
hrmm not sure... I don't think so... you just need two sets of keys i think
bluet's avatar
10 years ago
link
bluet
All the examples I've seen create a new user for backups.