New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Do You Encrypt Offsite Backups?
Hi Guys,
Do you encrypt your offsite backups, especially to public cloud storage?
if YES, what do you use ? GPG or OpenSSL or ZIP password protect ?
Have you ever got stuck in crisis situation where decrypting / extracting was a problem when you needed to restore from it?
Pls share your experiences and recommendations.
Thanks
Encrypt your offsite backups
- Do you Encrypt your offsite backups ?104 votes
- YES69.23%
- NO30.77%
Comments
Borgbackup
mysqldump -> 7zip with AES-256 encryption
No problems so far, do a test restore every x months to keep the procedures and knowledge up to date.
Do not use classic ZIP encryption for that purpose as the format is known to be easy to crack via known-plaintext attacks. Takes only a few hours on modern CPUs to figure out any possible key. See DOI:10.1007:3-540-60590 for details.
Can you borgbackup to cloud storage?
Of bloody course!
No, never. Of bloody course all passphrases and keys I use are backed up on multiple locations and devices.
Can anybody suggest a borgbackup alternative that will run on Windows? I know there is a borgbackup beta, not sure I would trust that
duplicacy, encrypted.
Borgbackup encrypted, it's quite easy to make your backups encrypted no reason not to.
Yes, well indirectly. The storage filesystems are on encrypted block devices (Linux, dm-crypt) and all transfers are over secure transports (rsync through SSH). When the backup servers need to reboot I have to login to hand over the keys to remount the encrypted block devices, as I don't want to store the keys on the same machine to allow automatic mount (there are other solutions to this, but the inconvenience is so small as to not make it worth implementing something else).
Keys and passphrases have their own backup regime, including being printed out on "indestructible paper" as base-64 and in QR codes, and stored in safe places.
Can recommend restic which I ve been using for some years now.
https://restic.net
I second that. Tried it just out of curiosity a few years ago, now I deploy restic by default on every new server. It just works.
I'm mainly using rClone to sync backup tar.gz files to cloud storage... does Restic have cloud sync support ? I lists Google cloud storage but not sure if it supports GDrive, DropBox, PCloud etc. which are more 'personal' type rather than enterprise level cloud storage
Rclone crypt
Simple openssl of my projects directory and sent to cloud. It is best of both worlds imo, security you did yourself while uploading to a public host. Love simplicity of core (linux) utils in these situs, non of this borg crap , less points of failure.
Usually, OpenSSL is fast and secure.
also just to answer a more general question, it is always important to have offsite backups encrypted, that is especially true depending on where you're planning to keep them. Regardless, you should always have that encrypted.
That is the best way to make sure that data doesn't make its way onto some bad guy hands.
I'm trying to achieve the same... however what I'm particularly looking for is an 'uncomplicated' solution where in case of a failure, a 'non-admin' lay person can download and decrypt those backups on Windows Machine, which is what the boss uses.
That would require rClone to download and 'decrypt' the backup sets when needed.
I know about that and about Borg and all the Linux utils. I'm actually "now" trying to achieve an app-independent way to decrypt the backups on a lay person's machine if needed.
So something like a RAR / 7ZIP file encrypted on Linux server which is uploaded to Dropbox/Gdrive and if needed, can be downloaded on a Windows/Mac machine and fed with a password /hashkey for decryption and deflation.
Some interesting suggestions.
Thanks
Your boss still need winrar/7zip to enter the password & open the file though..
If you set rclone mount on crypt drive then all you need is copy and paste or upload & download
YES... I'm trying to setup a system where 'retrieval of backup set' is not complicated for a layman, on Windows specifically without the need to install CLI utils and stuff.
You still 'need' rclone to retrieve and decrypt backup set... which is contrary to what I'm trying to achieve as mentioned above
I think using P7Zip with password encryption should be OK ? but I read decrypting it with 7Zip on Windows can be problem sometimes. Not really sure.
Needs a server-side client, which takes some load off the source server (where I least want it).
Price-wise, my https://borgbase.com service is the same or less as B2 and Wasabi object storage for larger plans, so not a big concern.
Ideally, encrypted at rest, encrypted in transit.
Also, have your data backed up in two different 'formats' (borg repo + a tarball maybe)
Yep,
7z -p
I think encryption of backups is a must at the current time. But as a rule, it all depends on the nature of the information.
If you use cheap gdrive account then it a must.
Gosh the no's on this survey are a worry
We do not encrypt our disaster recovery backups since the servers are physically disconnected from external block storage once the backup is completed. We have write-only permissions without read or delete permissions applied to the backup user. This way no one can touch the data once it's backed up.