[H-GEN] Excalibur patches for S3 backup
raymond at humbug.org.au
Sun Jul 5 20:16:52 EDT 2009
2009/7/5 Russell Stuart <russell-humbug at stuart.id.au>:
> This patch creates two backups of the excalibur VM:
> 1. The "secret" backup contains just the files with sensitive
> information, such as passwords. It is GPG encrypted using the keys
> present in /etc/rdiff-image/gpg-keys/.
> 2. The "base" backup is an image of the entire VM, but with all
> passwords  changed to "x". Because the passwords have been replaced
> as opposed to being removed entirely, this backup can be used to
> re-create the VM so it can be worked on, improved, and the resulting
> patches posted here for review and inclusion. Because it contains no
> sensitive information anyone can do this and contribute to its
> development. Indeed, as I have don't have an account on excalibur, so
> that is how this patch was developed.
How confident are we really be that all sensitive data has been scrubbed
from these images? For example, what about passwords in the wiki?
What about registry keys stored in comments in DNS zone files? What
about SSH public keys (while not strictly sensitive but I don't know if I
really want everyone to have a copy all the same -- "So Mr Smith, your
SSH key was found on this server. Would you like to explain that....")?
I am still not comfortable with this idea of having the backups available
to all comers via HTTP. I would be much, much happier if their were
some minimum level of control over this.
Alternatively, perhaps we could invert the public backup. What if instead
of a backup this was the base image. That is, we have a base image
which is read-only available and write-only to sysadmins. Anyone can
mess with the image and submit a patch. The sysadmin team then
approves and applies or rejects the patch. At some point a cron job rolls
out changes from the patch onto the main system. Files containing
"sensitive" data would either be excluded from the patch process or we
could try for clever mergey stuff.
> These backups are then made available at a URL on www.humbug.org.au, and
> are sent to an Amazon S3 account. The current configuration  holds
> on Amazon 24 hourly backups, 7 daily backups, 5 weekly backups and 6
> monthly backups.
This is great work, and I commend you on it!
> At the moment the S3 account being used is one I have created and
> am paying for. Its name is humbug-excalibur-backup. Credentials
> to access the backup will be sent to Stephen in a separate email.
> He will have to put them in the rdiff-image configuration file
> on excalibur. They will be backed up to the secret backup, of
These need to be stored somewhere that all members of the sysadmin
team can access even in the event of a complete meltdown. We used
to do this by putting stuff on hydra and caliburn. It would make sense
for individuals to keep their own records as well.
More information about the General