- On the machine being backed up:
Create limited privilege account on a production Linux VM with content to backup.
- Account would have access to a single direct [e.g. /home/backup] and allow ssh via keys only.
- Account would be chrooted to the /home/backup directory.
- Account would be restricted shell [ rssh ]
- Account would be restricted via AllowUsers backup@[backup vm ip address]
- On the machine being backed up
rootgenerate the backups, place them where the limited privilege account can access them, and
chownthem to the limited privilege account.
- Root account would have access to an encryption password/key. Copies of this key would exist on the developer/sysadmin machines and/or usb key drives. Assumption is a compromised sysadmin/dev machine = screwed. They’d be able to keylog the entry of the key passphrases and obtain copies of the keys.
- Root account generates the backup -> compresses backup -> encrypts backup -> moves backup to /home/backup/current.tar.bz2 -> chown backup:backup
- On the machine collecting the backups
Have SSH keys for the backup account on all production machines, and just copy
/home/backup/current.zipfrom the source machine to the local machine.
- Does not have encryption/decryption information.
- Backup VM access is limited to sysadmin/dev ssh keys on their machines.
The information to be backed up isn’t unusually sensitive [public/private conversations, account passwords to the services being backed up, etc.]. It is not anything like credit cards, health info, etc.
I’m confident the rest of the backup process [restoration, frequency of backups, etc.] functions to my satisfaction.
You should use public key encryption in this scenario, when your offsite backups are stored by a third party.
This way, the machine being backed up has only its own public key, and therefore can only create backups. You store the private key offline, and use it only for restores.
Backup solutions such as Bareos already support public-key encryption, or you could fairly easily integrate it into your existing setup with GPG.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.