you don't reboot a server
And the server might be at his some attached with keyboard
you don't reboot a server
And the server might be at his some attached with keyboard
I currently have physical access to the server, but that's not always the case (it's in California and I upgraded it from Debian sarge to etch while I was living in East Africa over SSH). Soon I'll be living out of state again.
True, the only time the server is down is after power outages, but it is in California, and with the summer coming, it will happen at least once.
Currently it boots headless fine, the most I can expect is to have someone power cycle it if necessary.
Hester: 12.04 Desktop x64 | Core i5-2540M @ 2.6 GHz | 16GB DDR3 | 80GB SSD + 256GB SSD
Cortana: 12.04 Desktop x86 | Atom N270 @ 1.6 GHz | 2GB DDR2 | 32GB SSD
Horatio: 12.04 Server x64 | Atom N330 @ 1.6 GHz | 1GB DDR2 | 2.5TB
That isn't always the case with mine. There have been lots of times I have rebooted my (development) server. Also, we have some pretty vilolent storms around here, which also requires powering it down.
If I were to encrypt the whole drive, I don't see how I could enter the password to unlock the drive without plugging a keyboard and monitor into it.
Lucky for me though, my server sets right beside my desk
"Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
Linux User #441960 | Wiki: DrSmall
duplicity would be perfect for you, because I currently backup my data to a server via SSH, and I like the backups to be encrypted because the server is off-site.
duplicity
1. splits files into manageable file sizes
2. uses rsync to make make incremental backups small
3. encrypts files using GnuPG (either password, or public key)
4. transfers files via: scp/ssh, ftp, rsync, HSI, WebDAV, and Amazon S3
rsyncrypto.. scriptable seemless and lightweight.
http://rsyncrypto.wiki.sourceforge.net/
I've attached the shell script I made, one version that transfers a keyfile to decrypt the remote volume, one that just prompts for a password.
rsync+ssh+dmcrypt&keyfile and a well managed /etc/sudoers means complete automation. I appreciate any feedback on the scripts (they're pretty short).
I misspoke/understood before when I said I want "incremental" backups: what I want is the rsync method of only transferring what is saved to update the remote files, not a "base" backup with a chain of compressed diffs (ala tar).
So that means duplicity is out.
As for rsyncsrypto:
"Rsyncrypto does, however, do one thing differently. It changes the encryption schema from plain CBC to a slightly modified version. This modification ensures that two almost identical files, such as the same file before an after a change, when encrypted using rsyncrypto and the same key, will produce almost identical encrypted files. This means that both objectives can be achieved simultaneously."
Ummm, makes me nervous.
Hester: 12.04 Desktop x64 | Core i5-2540M @ 2.6 GHz | 16GB DDR3 | 80GB SSD + 256GB SSD
Cortana: 12.04 Desktop x86 | Atom N270 @ 1.6 GHz | 2GB DDR2 | 32GB SSD
Horatio: 12.04 Server x64 | Atom N330 @ 1.6 GHz | 1GB DDR2 | 2.5TB
my server has 1 encrypted partition, which i mount after boot. its got a luks password container in there. the partition is thus always mounted and could be breached if someone entered the headless server without interrupting the power supply. i think this is ratehr unlikely though.
Bookmarks