[wplug-internet] Backups

[Vance Kochenderfer]

I have been thinking over what's been proposed.  Not having dealt
with encrypted filesystems before, this is the setup as I've
pictured it.  Please correct me if this is wrong anywhere.

Assume that Bill's machine is bill.example.com.  A user named
"wplug" has been created on this box, and a ~5GB file created as
/home/wplug/linode.img.  A public login key has also been dropped
into /home/wplug/.ssh/authorized_keys.

1. From the Linode server, we establish a connection to Bill's
machine via sshfs:
  wplug at bill.example.com: <--sshfs--> /mnt/wmoran

2. Then associate the file on Bill's machine with a loop device:
  /mnt/wmoran/linode.img <--losetup--> /dev/loop0

3. Set up the dm-crypt encrypted device:
  /dev/loop0 <--cryptsetup--> wmoranfs

4. The encrypted device can then be mounted as a plain old
filesystem (will need to format it first):
  /dev/mapper/wmoranfs <--mount -t ext2--> /mnt/backup1

5. Then we can perform the actual backup via rsync:
  /mnt/backup1 <--rsync--> /var/lib/mailman, /var/lib/mysql, ...

I was afraid that step #1 would be a problem until I learned that
the SFTP protocol used by sshfs is capable of random file access.
Assuming that OpenSSH supports that on both ends, this should
mean that only changes to the linode.img file will be transferred
over the network, instead of the whole 5GB.

For step #3, we will need to keep the encryption key on the Linode
server.  Because dm-crypt uses symmetric encryption, this means
that anyone who gets their hands on this key will be able to
decrypt the linode.img file.  Then again, anyone who's able to
read the key probably has access to the server itself, so this may
be acceptable.

After step #5, we should be able to take the linode.img file,
mount it (either over a network or locally) on any Linux system
supporting dm-crypt using the symmetric key, and get to the
backed-up files inside.

This wiki page looks like a decent reference for everything but
the sshfs part <http://wiki.centos.org/HowTos/EncryptedFilesystem>.

It seems to me that the path forward is then as follows.

A. Write up a script that does steps #1-5.

B. Create the symmetric encryption key - place it on the server
and distribute it to trusted WPLUGers for safekeeping.  Also
create a restore script for recovering files from the image.

C. Setup an account and ssh public key on Bill's machine.

D. Create a smallish test image file on his machine and verify
that the numbered steps above indeed work by backing up a portion
of the server's filesystem.  Check that rsyncing results in only
the changes being transferred over the network.

E. Create the full-sized linode.img on Bill's machine and do a
backup using the script from A.  Verify that performance is
acceptable (i.e., that it doesn't take 24h or something similarly
ridiculous to complete).

F. Verify that the files can be restored from the saved image with
the key and script from B.  I can buy a separate Linode 360 and
try to restore onto that.  Since they'll give a prorated refund
for the portion of the month I don't use, it should only cost a
few bucks to try out and would be a good simulation of disaster
recovery.

G. Set up a cron job (how often?) to periodically connect to
Bill's machine and run the script from A.

H. Recruit others to serve as alternate backup hosts.  All they
should need is a broadband connection, sshd, and a filesystem
capable of holding a ~5GB file.

Am I missing anything?  Who can start on step A?

Vance Kochenderfer        |  "Get me out of these ropes and into a
vkochend at nyx.net          |   good belt of Scotch"    -Nick Danger