Is this a reasonable way to setup backups for security? Can it be improved?

ReadWriteCode asked:

  1. On the machine being backed up:
    Create limited privilege account on a production Linux VM with content to backup.

    • Account would have access to a single direct [e.g. /home/backup] and allow ssh via keys only.
    • Account would be chrooted to the /home/backup directory.
    • Account would be restricted shell [ rssh ]
    • Account would be restricted via AllowUsers backup@[backup vm ip address]
  2. On the machine being backed up
    As root generate the backups, place them where the limited privilege account can access them, and chown them to the limited privilege account.

    • Root account would have access to an encryption password/key. Copies of this key would exist on the developer/sysadmin machines and/or usb key drives. Assumption is a compromised sysadmin/dev machine = screwed. They’d be able to keylog the entry of the key passphrases and obtain copies of the keys.
    • Root account generates the backup -> compresses backup -> encrypts backup -> moves backup to /home/backup/current.tar.bz2 -> chown backup:backup
  3. On the machine collecting the backups
    Have SSH keys for the backup account on all production machines, and just copy /home/backup/ from the source machine to the local machine.

    • Does not have encryption/decryption information.
    • Backup VM access is limited to sysadmin/dev ssh keys on their machines.

The information to be backed up isn’t unusually sensitive [public/private conversations, account passwords to the services being backed up, etc.]. It is not anything like credit cards, health info, etc.

I’m confident the rest of the backup process [restoration, frequency of backups, etc.] functions to my satisfaction.

My answer:

You should use public key encryption in this scenario, when your offsite backups are stored by a third party.

This way, the machine being backed up has only its own public key, and therefore can only create backups. You store the private key offline, and use it only for restores.

Backup solutions such as Bareos already support public-key encryption, or you could fairly easily integrate it into your existing setup with GPG.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.