Re: Can NetBSD cgd be used for encrypted backup?

To: Mayuresh <mayuresh%acm.org@localhost>
Subject: Re: Can NetBSD cgd be used for encrypted backup?
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 27 Jun 2017 19:53:35 -0400

Mayuresh <mayuresh%acm.org@localhost> writes:

> On Sun, Jun 11, 2017 at 04:32:02PM +0200, Kamil Rytarowski wrote:
>> > - Can the native cgd of NetBSD be used for the purpose of encrypted
>> >   backup? Basically can I mount such filesystem in a way that it shows
>> >   encrypted files?
>> 
>> I use cgd(4) devices for encrypted backup.
>
> Alternatively one could backup the virtual file, but that's not so useful
> for cloud backup.

One could use sysutils/bup for this, or one of the bup followon programs
(attic?).  They use an rsync-like rolling-checksum algorithm to
deduplicate fragments of large files.  So in theory if you rsync your
main filesystem to the filesystem within the cgd, running bup should not
create vast incremental output.

cgd works very well for, e.g., encrypting an entire 1T desk.  This is
great for taking a disk offsite and bringing it back occasionally to
write new backups (times N, rotating).  But I realize that's not what
you are talking about.

Comparing encfs to cgd, the big issues are

 - stability of codebase to be able to get your bits back much later (?,
   but cgd seems like it has been quite stable.  But it's NetBSD only
   AFAIK.)

 - exposing the structure of your filesystem such as the histogram of
   file sizes, directory organization, and when various parts were
   updated (cgd wins)

  - having ciphertext size scale with size of plaintext easily (encfs
    wins)

I would be tempted to try an encfs filesystem, but to use bup and put
the BUPDIR in the encfs.  So what would be stored would be git-format
packfiles, which contain the structure of your fs but don't betray it in
their size.  Or you could use dump, but the nice thing about things like
bup is that the subsequent backups are both fast and small.  Yet they
can be restored straightforwardly.

I have the impression some bup-like programs have builtin
application-layer encryption.  I at first thought this was unreasonable
and something like encfs should be used, but having seeen the history of
encfs being broken in pkgsrc for so long, having the encryption for
packfiles could be a good choice, given that the encryption part is
fastly simpler than the FUSE/VFS part.

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: Can NetBSD cgd be used for encrypted backup?
  - From: Mayuresh
- Re: Can NetBSD cgd be used for encrypted backup?
  - From: Mayuresh
- Re: Can NetBSD cgd be used for encrypted backup?
  - From: Mayuresh

References:
- Can NetBSD cgd be used for encrypted backup?
  - From: Mayuresh
- Re: Can NetBSD cgd be used for encrypted backup?
  - From: Kamil Rytarowski
- Re: Can NetBSD cgd be used for encrypted backup?
  - From: Mayuresh

Prev by Date: revival of pc532 which used port-pc532@ )
Next by Date: Re: Can NetBSD cgd be used for encrypted backup?
Previous by Thread: Re: Can NetBSD cgd be used for encrypted backup?
Next by Thread: Re: Can NetBSD cgd be used for encrypted backup?
Indexes:

Home | Main Index | Thread Index | Old Index