On 5/28/19 9:37 AM, 'Side Realiq' via qubes-users wrote:
----------------------------------------
From: David Hobach <trip...@hackingthe.net>
Sent: Tue May 28 10:11:18 CEST 2019
To: Side Realiq <siderea...@mailfence.com>, <qubes-users@googlegroups.com>
Subject: Re: [qubes-users] How to automate cloud backups of trusted vault files?
On 5/27/19 3:05 PM, David Hobach wrote:
On 5/27/19 12:52 PM, 'Side Realiq' via qubes-users wrote:
How to automate backups of files from a very trusted vault to the
cloud? What are some best practices for that?
My current issue is that the files in the trusted vault do not have
internet connection, so the cloud backup software should not be
running in the vault, and needs to run in a separate "backup" internet
connected qube. But I don't know how I can automate copying the files
from the vault to the backup qube. The qvm-copy command requires
manual choice of the target VM, which is not automated.
This depends on your Qubes RPC policy, which you can manage with the
/etc/qubes-rpc/policy files in dom0. Also see [1].
So you can automate qvm-copy usage, if you want to.
Another option is to entirely attach your data from the source VM to the
backup VM using qvm-block, which should be faster as it doesn't involve
copy operations between VMs. See e.g [2] for that method.
I'd also recommend to
a) use software you trust for backups.
b) use encrypted containers (e.g. dm-crypt) for backups unless you
completely trust your cloud provider (I certainly don't).
[1] https://www.qubes-os.org/doc/rpc-policy/
[2] https://github.com/3hhh/blib/blob/master/lib/os/qubes4/dom0#L955
I had received another few private questions about this that I'd like to
respond to:
1. "You mentioned "use encrypted containers" when backups are made they
are encrypted correct? How about AppVMs, are they encrypted by default?"
The default backups made by Qubes OS are encrypted and should be the
overall preferred way of doing backups.
Since the OP was asking about only backing up dedicated files rather
than the entire AppVM (what the Qubes OS backup does), he'd have to
implement the encryption part himself.
It might make also sense to put the data meant to be backed up inside a
dedicated VM and then use the default backup mechanism with your cloud
provider. Of course you'd have to mount the cloud provider file system
inside your backup VM first.
Personally, I don't use the default mechanism for speed reasons - my
internet connection is too slow to push 100+ GB over it for every
backup. sparsebak might help here [3], but is not official yet.
[3] https://github.com/tasket/sparsebak
2. "For option 2) the function b_dom0_attachVMDisk attaches "the entire
private disk image (private.img) of the source VM to the target VM". In
my vault there is a folder with the encrypted files, and another with
decrypted files and I don't want to expose the decrpyted files to
another VM. Can I attach only a specified folder (with the encrypted
files) to another VM? If yes how?"
You can only attach devices to other VMs with qvm-block. So you'd have
to put your file inside a loop device, which you could then attach to
the backup VM. If "encrypted files" means a dm-crypt container, you can
map the decrypted data from your AppVM to your backup VM (cryptsetup
creates a /dev/mapper/something device after decryption, which you can
then use with qvm-block).
I'll also release some software in a month or so to simplify dm-crypt
usage with Qubes OS.
Alternatively you could separate the files you'd like to backup from
those you don't by using different VMs for them.
Thank you!
2) I created a loop device in the vault VM, attached it to the cloudVM. I can
see that the files which were in the vaultVM loop device are also accessible
from the cloudVM. I created a new file in the vaultVM loop device, but the file
didn't show up the attached folder in the cloudVM. Why is that and how can I
make them sync?
If the security of vaultVM matters to you at all, don't do it this way.
As I mentioned in my other response, encryption must first be applied.
Since you're not well acquainted with the specifics, I'd suggest
dropping the requirement to backup individual folders and instead using
a passphrase with Qubes backup to backup the vaultvm to the backupvm,
then use whatever file transfer software your cloud provider requires in
the backupvm.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/63e53e10-62b1-06bb-5a49-6f9b79d8c6eb%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
