-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 20/02/2019 2.53 PM, Chris Laprise wrote: > On 2/20/19 2:46 PM, Stuart Perkins wrote: >> On Wed, 20 Feb 2019 10:38:15 +0000 lik...@gmx.de wrote: >>> On 2/19/19 6:22 PM, Chris Laprise wrote: >>>> On 2/19/19 10:41 AM, liked2-mmb7mzph...@public.gmane.org >>>> wrote: >>>>> Hi, >>>>> >>>>> assume there are files stored in a qube without networking. >>>>> Furthermore assume there's a secured backup server located >>>>> in the internet. This server is only a storage of >>>>> client-side (before data is sent over the wire) encrypted >>>>> files. What options do you imagine to backup those files >>>>> (skip the client-side encryption) to the server? >>>>> >>>>> I can imagine the following options: 1. enable temporary >>>>> the network with firewall restricted to the server for the >>>>> (previously offline) qube Advantage: no inter-vm copying >>>>> of files. Disadvantage: firewall rules must be setup >>>>> correctly to avoid to bypass any other traffic like >>>>> icmp/dns etc. I can imaging a potential information leakage >>>>> due to enabling network access. 2. copy files temporary to >>>>> another qube (dvm?) with a firewalled internet connection >>>>> Advantage: files not being backed up can stay secured in >>>>> the non-network cube. Leakage of data is reduced in >>>>> comparison to 1. Disadvantage: can take time and needs >>>>> additional disk ressources >>>>> >>>>> I've learned that you should always find at least 3 >>>>> options, otherwise you haven't thought hard enough. Which >>>>> options am I missing? >>>>> >>>>> Which option would you prefer and why? >>>> >>>> Another disadvantage of #1 is that connecting the net to the >>>> source qube exposes it to attack. >>>> >>>> Had you thought about using qvm-backup? Also, I'm working on >>>> a fast incremental backup tool that's suitable for Qubes: >>>> >>>> https://github.com/tasket/sparsebak >>>> >>> >>> I've checked qvm-backup. It's an appropriate solution if you >>> don't care about disk space and bandwitdth of the network >>> connection. Saving of a subset of files due to remote space >>> and bandwidth resouces will not work well with qvm-backup. >>> >>> Also incremental backup is not really possible with >>> qvm-backup. >>>
It depends on how much data you have, but for most users, qvm-backup on a subset of VMs with bzip2 compression is likely to result in a reasonably small backup file that is suitable for daily or weekly backups. IMHO: qvm-backup is an underrated, underutilized tool. It's currently the most secure way to do backups in Qubes OS (and has been for years), because it performs authentication and encryption/decryption in dom0 without having to install any additional programs in dom0. It's time-tested, reliable, and secure: exactly what I want from a backup tool. Really the only major thing it's missing is, as you say, incremental backup functionality. > [...] > > A good backup solution for security-focused systems should run in > the Admin scope, handle disk volumes without getting involved in > guest filesystems, and instantly know which parts of each volume > have changed without data scans or regard to file sizes. The user > should also feel free to consider any volumes for backup without > thinking about additional security logistics (which guests can be > trusted, etc). > Agreed. qvm-backup ticks all of these boxes except incremental backups. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlxuDFoACgkQ203TvDlQ MDB5HA//a4d7y9PqTmqtyxd2aXXtlf02CHkAM/i6OYJSFQJ0IITq1jA/1nFbD+Y5 9/qY9CZGyKeJkkKPJncFw29ae4OQKsK0f4AUtVbYb9dDQX2trcK55lMOIE3kW2uv lTMmQPsSRNxJF7Cj0qyBZyDR+jXy/a7q5AgSFykYljvvalBjg7RMTJoIpBZ8zw+L B0nZAHe8j6Cv4i0kIyLYQJXWl9zm6zzxEHP3QHK3kU8zIjgY334cHeeiTYGgCdtN 24jpQPsCKlaXgS8UgMT3rTnMBHOmPw4EZ1OuruLYhaQBfjbjTEoyjpREaCsk0tso +bkAlMekyPJbZLgaihimCeJwBse5oeXyWJYjIJBevl1Xocr5z89IKxX4HnTacbI4 ls3lZN2IvWv/PWVPcKBzyPLj5tIfRHSjjBH8iSC6DB8IxXqUfT/c+8ZU/qoPub1x zDKn4KcLOIROmQJKSJf9UhoCfWp8e96PvMZbuPkhLIwE63v87kkWkG4wB+rF38M3 ogu/pvUYazLV9Fil3o8BN5Dzp//G04NvLYMF7QcZ+H/zbL+QXCf52E5d+p2TnnTX 13L0y1T/kz/18XOduqKXuWs+/h73BrdvtlckW5LXZVwTG0JQwATENXA4Y3G59YrU 96ApVXYSpWfgJ87SihqJFH05NiIPc25vRj9xr9kd6G7B+BLPrZM= =a9F/ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1aa4bd1f-7879-9fc2-800f-f4a080cde57b%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
