On Tue, May 07, 2013 at 03:34:09PM -0300, André Nunes Batista wrote: > I do not know your level of expertise and if your somewhat abstract > description of the trust issue is a demonstration of high-level > understanding of Unix file system tree + encryption + networks or just > playful thought.
I spent a while looking around with find -perm and concluded that there are lots of world-unreadable files that need no very special treatment -- in cact, just leaving the out of the backup would do fine -- things like browser caches. using find -perm to make a list of files to be encrypted and feeding it into rsync-backup doesn't look great. I wonder just how many exceptions rdiff-backup will tolerate. Hundreds of thousands? > > That in mind, if you are not running a cluster of servers, it would be > doable using duplicity and the list of "public" directories or rather > "private" ones. That, assuming you at least have a vague idea of which > files you wish to remain unencrypted/encrypted an is not looking for a > file permissions aware general solution. For this, you could use > duplicity --include "$SHELL_PATTERN" or --exclude "$SHELL_PATTERN". It looks as if I'm going to have to identify the private things explicitly, by hand. And I'll probably miss one and have a potential security leak. Let's see. Private keys are kept by ssh, by monotone, ... maybe a few more. monotone keeps them encrypted with a passphrase, so that's already OK. Except in the monotone server, where it's kept in a read-protected script. Not so sure of ssh. Where does it keep the stuff? And the the browsers have password stores. How do they keep the passwords out of sight? Or do they? Chromium aske me for a password to access the password store. But I don't remember firefox doing the same. > BTW, duplicity uses rdiff as a backend so if you wish to keep previous > rdiff backups, rdiff-backup keeps old and new backups using some kind of backwward differencing. It's not just a matter of using rdiff or rsync to copy things over. > I am guessing you could make duplicity aware of them, but > this is just a wild guess. > > -- > -- André Nunes Batista > > Delivered-To: andrenbati...@gmail.com Received: by 10.58.74.134 with SMTP id t6csp93524vev; Tue, 7 May 2013 07:10:06 -0700 (PDT) X-Received: by 10.14.100.1 with SMTP id y1mr5917811eef.9.1367935805939; Tue, 07 May 2013 07:10:05 -0700 (PDT) Return-Path: <bounce-debian-user=andrenbatista=gmail....@lists.debian.org> Received: from bendel.debian.org (bendel.debian.org. [2001:41b8:202:deb:216:36ff:fe40:4002]) by mx.google.com with ESMTPS id 43si34769337eel.253.2013.05.07.07.10.05 for <andrenbati...@gmail.com> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 07 May 2013 07:10:05 -0700 (PDT) Received-SPF: pass (google.com: manual fallback record for domain of bounce-debian-user=andrenbatista=gmail....@lists.debian.org designates 2001:41b8:202:deb:216:36ff:fe40:4002 as permitted sender) client-ip=2001:41b8:202:deb:216:36ff:fe40:4002; Authentication-Results: mx.google.com; spf=pass (google.com: manual fallback record for domain of bounce-debian-user=andrenbatista=gmail....@lists.debian.org designates 2001:41b8:202:deb:216:36ff:fe40:4002 as permitted sender) smtp.mail=bounce-debian-user=andrenbatista=gmail....@lists.debian.org Received: from localhost (localhost [127.0.0.1]) by bendel.debian.org (Postfix) with QMQP id 77A0C9B5; Tue, 7 May 2013 14:10:03 +0000 (UTC) Old-Return-Path: <gldu-debian-use...@m.gmane.org> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on bendel.debian.org X-Spam-Level: X-Spam-Status: No, score=-11.0 required=4.0 tests=LDOSUBSCRIBER,LDO_WHITELIST, T_RP_MATCHES_RCVD autolearn=unavailable version=3.3.2 X-Original-To: lists-debian-u...@bendel.debian.org Delivered-To: lists-debian-u...@bendel.debian.org Received: from localhost (localhost [127.0.0.1]) by bendel.debian.org (Postfix) with ESMTP id 0A62C9A8 for <lists-debian-u...@bendel.debian.org>; Tue, 7 May 2013 14:09:52 +0000 (UTC) X-Virus-Scanned: at lists.debian.org with policy bank en-ht X-Amavis-Spam-Status: No, score=-7.01 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from bendel.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id DmgWS4MS1aUH for <lists-debian-u...@bendel.debian.org>; Tue, 7 May 2013 14:09:42 +0000 (UTC) X-policyd-weight: using cached result; rate:hard: -6.1 Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by bendel.debian.org (Postfix) with ESMTPS id 9F06C6B3 for <debian-user@lists.debian.org>; Tue, 7 May 2013 14:09:42 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <gldu-debian-use...@m.gmane.org>) id 1UZiaE-0001a2-Ab for debian-user@lists.debian.org; Tue, 07 May 2013 16:09:34 +0200 Received: from topoi.pooq.com ([69.165.131.134]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <debian-user@lists.debian.org>; Tue, 07 May 2013 16:09:34 +0200 Received: from hendrik by topoi.pooq.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <debian-user@lists.debian.org>; Tue, 07 May 2013 16:09:34 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: debian-user@lists.debian.org From: Hendrik Boom <hend...@topoi.pooq.com> Subject: Re: Partially encrypted backup? Date: Tue, 7 May 2013 14:09:08 +0000 (UTC) Lines: 37 Message-ID: <kmb1u3$juc$1...@ger.gmane.org> References: <km8kvs$6s8$2...@ger.gmane.org> <20130506150400.635996bb934f65559cb16...@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Complaints-To: use...@ger.gmane.org X-Gmane-NNTP-Posting-Host: topoi.pooq.com User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2) X-Rc-Virus: 2007-09-13_01 X-Rc-Spam: 2008-11-04_01 Resent-Message-ID: <Cyc1kQ2B_BM.A.1vD.7sQiRB@bendel> Resent-From: debian-user@lists.debian.org X-Mailing-List: <debian-user@lists.debian.org> archive/latest/650549 X-Loop: debian-user@lists.debian.org List-Id: <debian-user.lists.debian.org> List-Post: <mailto:debian-user@lists.debian.org> List-Help: <mailto:debian-user-requ...@lists.debian.org?subject=help> List-Subscribe: <mailto:debian-user-requ...@lists.debian.org?subject=subscribe> List-Unsubscribe: <mailto:debian-user-requ...@lists.debian.org?subject=unsubscribe> Precedence: list Resent-Sender: debian-user-requ...@lists.debian.org Resent-Date: Tue, 7 May 2013 14:10:03 +0000 (UTC) Content-Transfer-Encoding: quoted-printable > > On Mon, 06 May 2013 15:03:59 -0400, Celejar wrote: > > > On Mon, 6 May 2013 16:15:56 +0000 (UTC) > > Hendrik Boom <hend...@topoi.pooq.com> wrote: > > > >> I'm currently using rdiff-backup onto removable USB drives for backup. > >> I don not encrypt them now because I'm terrified of losing the > >> encryption key and hence losing access to my backups. > >> > >> I'm planning to trade backup drives with an acquaintance for off-site > >> backups. I trust her, but I don't trust not every random person who > >> lives in her house or visits. > >> > >> Is there any way of doing the backup partially encrypted so that files > >> are encrypted only if not world-readable? > > > > Perhaps use the 'find' command with the '-perm' argument to generate > > lists of files that are and are not world readable, and pipe the outputs > > to the backup program with the appropriate invocations? I'm not a find > > guru, so I won't try to give the syntax, and I can't judge the level of > > performance hit that doing it this way will engender. > > > > hendrik@april:~$ find . ! -perm /044 | wc > 35299 39286 1503506 > hendrik@april:~$ > > There seem to be rather a lot of them. > > A lot seem to be cached stuff from browsers and other programs, which > don't need to be backed up at all, let alone encrypted. But there are > files containing ssh IDs and the like, private keys for digital > signatures, and those really do need to be backed up, but not in > plaintext. Where do the browsers keep this information? What other > programs keep this kind of information? > > -- hendrik > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/kmb1u3$juc$1...@ger.gmane.org > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130508012453.ga5...@topoi.pooq.com
