On 5/27/19 9:05 AM, David Hobach wrote:
On 5/27/19 12:52 PM, 'Side Realiq' via qubes-users wrote:
How to automate backups of files from a very trusted vault to the
cloud? What are some best practices for that?
My current issue is that the files in the trusted vault do not have
internet connection, so the cloud backup software should not be
running in the vault, and needs to run in a separate "backup" internet
connected qube. But I don't know how I can automate copying the files
from the vault to the backup qube. The qvm-copy command requires
manual choice of the target VM, which is not automated.
This depends on your Qubes RPC policy, which you can manage with the
/etc/qubes-rpc/policy files in dom0. Also see [1].
So you can automate qvm-copy usage, if you want to.
Another option is to entirely attach your data from the source VM to the
backup VM using qvm-block, which should be faster as it doesn't involve
copy operations between VMs. See e.g [2] for that method.
I'd also recommend to
a) use software you trust for backups.
b) use encrypted containers (e.g. dm-crypt) for backups unless you
completely trust your cloud provider (I certainly don't).
[1] https://www.qubes-os.org/doc/rpc-policy/
[2] https://github.com/3hhh/blib/blob/master/lib/os/qubes4/dom0#L955
You can also orchestrate the backups from dom0 using 'qvm-run'. This
gets rid of any need to set rpc policies or other sidestepping of
interactive prompts. For example:
qvm-run -u root -p vault 'cryptsetup luksOpen /home/user/backup.img
backup --key-file key.dat && mount /dev/mapper/backup /mnt/backup'
qvm-run -u root -p vault 'cp -au /home/user/Documents /mnt/backup &&
umount /mnt/backup && cryptsetup luksClose backup'
qvm-run -u root -p vault 'cat /home/user/backup.img' | qvm-run -p
cloudvm 'ssh u...@dest.com "cat >backup.img"'
The above opens a LUKS encrypted container (disk image file), updates
the files within it using 'cp -au', then unmounts and closes the
container. Finally, it pipes the container img file through ssh to the
destination system.
Initial setup of the container looks like (in vault vm):
truncate -s 50M backup.img # Size is 50 megabytes
cryptsetup luksFormat backup.img
cryptsetup luksOpen backup.img backup
mkfs.ext4 /dev/mapper/backup
cryptsetup luksClose backup
sudo mkdir /mnt/backup
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/102f1a27-2e59-f1c7-7937-8782f3c8f552%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
