wmoran at potentialtech.com
Mon Jun 15 14:11:56 EDT 2009
In response to Vance Kochenderfer <vkochend at nyx.net>:
> Michael Semcheski <mhsemcheski at gmail.com> wrote:
> > We have a script that ssh's to their computer, mounts an encrypted
> > file system using fuse.
> Now that's a really intriguing idea. I was stuck thinking of GPG-
> encrypted tarballs, which as noted doesn't give you the efficiency
> benefit of rsync. Is there a de-facto leader in encrypted FS? I
> would assume Bill's target machine is FreeBSD, so it would need to
> be cross-platform, right?
Not really, the FUSE mounted filesystem can be an actual file. Since
all the logic is running on the Linux machine, and it's just file
reads/writes, it would work on anything that can do file read/writes
over SSH. Although I've never actually used this technique, so it's
possible there are problems I'm not forseeing.
> There's one other possible difficulty - since we need to back up
> root-owned files, then either the target will need root access to
> the server, or the server will need root access to the target.
> Unless there's a way to maintain root ownership of files on the
> target machine without needing root access (some sort of jail, or
> a filesystem mount option, maybe)?
Again, since the FUSE mounted filesystem is is just a file on my
computer, the script running on the Linux machine _should_ be able
to maintain ownerships without any special setup on my end.
> Bill's question about how much data are sensitive is a good one,
> too. It's actually a pretty small number. If I take an expansive
> view, it probably extends to the membership list, system password
> files, wiki passwords (embedded in the MySQL DB files), mailman
> subscription lists and passwords, and possibly items contained in
> individual users' home directories. The hard part is that I don't
> know how simple it would be to segregate this stuff out.
If we go the FUSE route, it doesn't really matter, since the entire
"partition" will be encrypted. That's a clever way to work around
that problem that I hadn't considered.
More information about the wplug-internet