Re: [qubes-users] backup of files in a qube without networking to an internet service
On Tue, Feb 19, 2019 at 03:41:23PM +, lik...@gmx.de wrote: > Hi, > > assume there are files stored in a qube without networking. Furthermore > assume there's a secured backup server located in the internet. This server > is only a storage of client-side (before data is sent over the wire) > encrypted files. What options do you imagine to backup those files (skip the > client-side encryption) to the server? > > I can imagine the following options: > 1. enable temporary the network with firewall restricted to the server for > the (previously offline) qube > Advantage: no inter-vm copying of files. > Disadvantage: firewall rules must be setup correctly to avoid to bypass > any other traffic like icmp/dns etc. I can imaging a potential information > leakage due to enabling network access. > 2. copy files temporary to another qube (dvm?) with a firewalled internet > connection > Advantage: files not being backed up can stay secured in the non-network > cube. Leakage of data is reduced in comparison to 1. > Disadvantage: can take time and needs additional disk ressources > > I've learned that you should always find at least 3 options, otherwise you > haven't thought hard enough. Which options am I missing? > > Which option would you prefer and why? > > Best, Pete 3. Create encrypted (compressed) backup in offline qube. qvm-copy backup to online disposableVM. Copy encrypted file to backup server. Advantage: All files secured in non-network qube. Disadvantage: ??? Is inter-vm copying of files really an issue? Free space such an issue? Using compressed backups should help mitigate this as a serious issue, but that problem would extend to *all* your Qubes use. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190220004623.q5vg6vwzhg3r5fv6%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] backup of files in a qube without networking to an internet service
On 2/19/19 10:41 AM, lik...@gmx.de wrote: Hi, assume there are files stored in a qube without networking. Furthermore assume there's a secured backup server located in the internet. This server is only a storage of client-side (before data is sent over the wire) encrypted files. What options do you imagine to backup those files (skip the client-side encryption) to the server? I can imagine the following options: 1. enable temporary the network with firewall restricted to the server for the (previously offline) qube Advantage: no inter-vm copying of files. Disadvantage: firewall rules must be setup correctly to avoid to bypass any other traffic like icmp/dns etc. I can imaging a potential information leakage due to enabling network access. 2. copy files temporary to another qube (dvm?) with a firewalled internet connection Advantage: files not being backed up can stay secured in the non-network cube. Leakage of data is reduced in comparison to 1. Disadvantage: can take time and needs additional disk ressources I've learned that you should always find at least 3 options, otherwise you haven't thought hard enough. Which options am I missing? Which option would you prefer and why? Another disadvantage of #1 is that connecting the net to the source qube exposes it to attack. Had you thought about using qvm-backup? Also, I'm working on a fast incremental backup tool that's suitable for Qubes: https://github.com/tasket/sparsebak -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cfdd9ce7-b95b-f26a-5cf9-19e0df29d70d%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] backup of files in a qube without networking to an internet service
Hi, assume there are files stored in a qube without networking. Furthermore assume there's a secured backup server located in the internet. This server is only a storage of client-side (before data is sent over the wire) encrypted files. What options do you imagine to backup those files (skip the client-side encryption) to the server? I can imagine the following options: 1. enable temporary the network with firewall restricted to the server for the (previously offline) qube Advantage: no inter-vm copying of files. Disadvantage: firewall rules must be setup correctly to avoid to bypass any other traffic like icmp/dns etc. I can imaging a potential information leakage due to enabling network access. 2. copy files temporary to another qube (dvm?) with a firewalled internet connection Advantage: files not being backed up can stay secured in the non-network cube. Leakage of data is reduced in comparison to 1. Disadvantage: can take time and needs additional disk ressources I've learned that you should always find at least 3 options, otherwise you haven't thought hard enough. Which options am I missing? Which option would you prefer and why? Best, Pete -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/46bf7e50-3cdf-cfe5-8986-e77a3c4e0bb8%40gmx.de. For more options, visit https://groups.google.com/d/optout.