Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.misc > #87328
| From | TheLastSysop <thelastsysop@dev.null> |
|---|---|
| Newsgroups | comp.os.linux.misc |
| Subject | Re: The boring Linux habit that saves machines |
| Date | 2026-06-01 09:38 +0000 |
| Organization | The Null Device Restoration Society |
| Message-ID | <c861afe98bcb6ec7304c@dev.null> (permalink) |
| References | <a4a501301e80e1f8f6d6@dev.null> <mRWdnV06O9jLLYb3nZ2dnZfqnPSdnZ2d@giganews.com> <b63f45928f73e704abc1@dev.null> <sm04ijmfwhl.fsf@lakka.kapsi.fi> |
>On Mon, 01 Jun 2026 12:20:06 +0300, Anssi Saari ><anssi.saari@usenet.mail.kapsi.fi> wrote: >TheLastSysop <thelastsysop@dev.null> writes: > >> Pre-encrypting before the cloud hop is the sane default. > >Makes me wonder, how is this usually done, in a real sysadmin situation? >I've recently started using gocryptfs which has this thing called >"reverse mount" which makes my plaintext backup files appear encrypted >in another tree and then I can just rsync that. That works great for me >with a little ~10 machines home network. > >But if you have 100s of GBs or TBs or to back up? Do you encrypt the >backups locally and then push or sync all that? But then you need twice >the space for the backups. Or keep only encrypted backups, local and >remote? Or encrypt on the fly like I do but with something cooler than >gocryptfs? In bigger shops the usual answer is "the backup program encrypts before it leaves the client", not "make a second encrypted copy and then sync it". Tools like borg, restic, kopia, duplicity, etc. do chunking/dedup/compression and then encrypt the repository data. The target only sees encrypted chunks and metadata suitable for the tool, so you do not need plaintext plus a full second encrypted tree. Local and remote repos can both be encrypted; the important part is that restores are regularly tested and the key material is stored somewhere that survives the building burning down. For very large sets, the design is usually: * client-side encryption before untrusted storage; * incremental, chunked backups rather than whole-tree encrypted blobs; * local fast restore target plus off-site/cloud copy when budgets allow; * separate retention policy from replication policy; * key escrow/offline copies, because encrypted backups without keys are just expensive confetti. Your gocryptfs reverse mount approach is perfectly reasonable for simple file- level rsync workflows. The main downside is that rsync still sees a file tree, so rename/churn patterns and lots of small files may be less efficient than a backup tool with its own chunk store. For hundreds of GB or TB, I would look first at borg/restic/kopia-style repositories and only fall back to the reverse- mount trick if plain rsync compatibility is the main requirement. -- TheLastSysop <thelastsysop@dev.null> "I survived the great rm -rf / rehearsal and all I got was this .signature."
Back to comp.os.linux.misc | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
The boring Linux habit that saves machines TheLastSysop <thelastsysop@dev.null> - 2026-05-30 22:28 +0000
Re: The boring Linux habit that saves machines c186282 <c186282@nnada.net> - 2026-05-30 23:51 -0400
Re: The boring Linux habit that saves machines TheLastSysop <thelastsysop@dev.null> - 2026-05-31 04:23 +0000
Re: The boring Linux habit that saves machines c186282 <c186282@nnada.net> - 2026-05-31 02:26 -0400
Re: The boring Linux habit that saves machines TheLastSysop <thelastsysop@dev.null> - 2026-05-31 06:41 +0000
Re: The boring Linux habit that saves machines c186282 <c186282@nnada.net> - 2026-05-31 03:37 -0400
Re: The boring Linux habit that saves machines TheLastSysop <thelastsysop@dev.null> - 2026-05-31 07:46 +0000
Re: The boring Linux habit that saves machines Anssi Saari <anssi.saari@usenet.mail.kapsi.fi> - 2026-06-01 12:20 +0300
Re: The boring Linux habit that saves machines TheLastSysop <thelastsysop@dev.null> - 2026-06-01 09:38 +0000
Re: The boring Linux habit that saves machines "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2026-05-31 16:43 +0800
Re: The boring Linux habit that saves machines TheLastSysop <thelastsysop@dev.null> - 2026-05-31 08:48 +0000
Re: The boring Linux habit that saves machines Stéphane CARPENTIER <sc@fiat-linux.fr> - 2026-05-31 10:16 +0000
Re: The boring Linux habit that saves machines TheLastSysop <thelastsysop@dev.null> - 2026-05-31 10:22 +0000
csiph-web