Re: Can NetBSD cgd be used for encrypted backup?

[Martin Husemann <martin%duskware.de@localhost>]

On Sun, Jun 11, 2017 at 09:27:25PM +0530, Mayuresh wrote:
> On Sun, Jun 11, 2017 at 04:32:02PM +0200, Kamil Rytarowski wrote:
> > > - Can the native cgd of NetBSD be used for the purpose of encrypted
> > >   backup? Basically can I mount such filesystem in a way that it shows
> > >   encrypted files?
> > > 
> > 
> > I use cgd(4) devices for encrypted backup.
> 
> Ok, you mean, I can mount it such that it shows encrypted files?

cgd is an encrypted disk, not a file system. I encrypts/decrypts disk
blocks when reading/writing, it does not know about files at all.

I have used cgd for remote encrypted backups in the past:

 - remote offers a "partition" as iscsi device
 - via iscsi the remote partition shows up as (say) sd0 on my machine
 - I (locally) configure cgd to use sd0c (or sd0d)
 - all crypto setup stays local, remote has no way to decrypt the data
 - when doing a backup I bring up iscsi, configure cgd, mount the cgd
   disk and rsync all changes over, then unconfigre cgd and disconnect
   iscssi

In my case it was a company setup, I had to comply with "need to have
automatic backups at *this* facility" policy, but I did not trust admis
at that facility. I kept a printout of the cgd setup in a off-site safe.

There are certainly various other ways to do something similar.

Martin